Test pam service authentication

check_user.c

/*
  Needs pam-devel on Fedora to build
  Build cmd: gcc -o check_user -lpam -lpam_misc check_user.c
  
  Edited from the example took in Linux-PAM_ADG.txt
  Originally contributed by Shane Watts
*/

#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <stdio.h>

static struct pam_conv conv = {
    misc_conv,
    NULL
};

int main(int argc, char *argv[])
{
    pam_handle_t *pamh=NULL;
    int retval;
  
    const char *user="nobody";
    const char *service="system-auth";
  
    if(argc == 2 || argc == 3) {
        user = argv[1];
    }
  
    if(argc == 3) {
        service = argv[2];
    }
  
    if(argc > 3) {
        fprintf(stderr, "Usage: check_user [username [service]]\n");
        exit(1);
    }
  
    retval = pam_start(service, user, &conv, &pamh);
  
    if (retval == PAM_SUCCESS)
        retval = pam_authenticate(pamh, 0);    /* is user really user? */
  
    if (retval == PAM_SUCCESS)
        retval = pam_acct_mgmt(pamh, 0);       /* permitted access? */
  
    /* This is where we have been authorized or not. */
  
    if (retval == PAM_SUCCESS) {
        fprintf(stdout, "Authenticated\n");
    } else {
        fprintf(stdout, "Not Authenticated\n");
    }
  
    if (pam_end(pamh,retval) != PAM_SUCCESS) {     /* close Linux-PAM */
        pamh = NULL;
        fprintf(stderr, "check_user: failed to release authenticator\n");
        exit(1);
    }
  
    return ( retval == PAM_SUCCESS ? 0 : 1 );      /* indicate success */
}

system-auth

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        required                                     pam_faillock.so preauth deny=4 unlock_time=60
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        required                                     pam_unix.so nullok try_first_pass
auth        sufficient                                   pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_faillock.so authfail deny=4 unlock_time=60
auth        required                                     pam_deny.so

account     required                                     pam_faillock.so
account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

Used to test yubikey authentication configured with challenge-response