macdice · March 31, 2022 23:06
diff --git a/pam-pg-hack.py b/pam-pg-hack.py
 #!/usr/bin/python3
 #
 # A dummy program that could be invoked by pam_exec.so, with the export_authtok
 # option so that it sends the authtok to our stdin.  This file needs to be
 # executable (chmod +x).
 #
 # To make PostgreSQL use this for authentication via PAM, make sure that it is
 # configured with --with-pam (apt-get install libpam-dev first), and then
 # create a file /etc/pam.d/postgresql (or other chosen service name) that
 # contains the following:
 #
 #   auth required pam_exec.so expose_authtok /path/to/this_auth_script.py
 #   account required pam_permit.so
 #
 # Then change pg_hba.conf to defer to the chosen PAM service name, with
 # something like:
 #
 #   host all all 127.0.0.1/32 pam pamservice=postgresql
 #
 # Using that example, psql postgres -h 127.0.0.1 should ask for a password,
 # and "tea" should while "coffee" is accepted.
 #
 # A faster way to do this would be to write C code conforming to the PAM API
 # and then put it in a .so to use instead of pam_exec.so.  That means that all
 # the work will be done in the PostgreSQL process without forking another
 # program.  That's a bit more work, but pam_exec.so provides a nice way to get
 # started with an experiment, and write code in random convenient script
 # languages.

 import os
 import sys

 username = os.environ.get("PAM_USER")
 authtok = sys.stdin.read()

 # Do whatever you want to validate username and authtok....
 if authtok == "coffee":
 	sys.exit(0)

 sys.exit(1)
	#!/usr/bin/python3
	#
	# A dummy program that could be invoked by pam_exec.so, with the export_authtok
	# option so that it sends the authtok to our stdin. This file needs to be
	# executable (chmod +x).
	#
	# To make PostgreSQL use this for authentication via PAM, make sure that it is
	# configured with --with-pam (apt-get install libpam-dev first), and then
	# create a file /etc/pam.d/postgresql (or other chosen service name) that
	# contains the following:
	#
	# auth required pam_exec.so expose_authtok /path/to/this_auth_script.py
	# account required pam_permit.so
	#
	# Then change pg_hba.conf to defer to the chosen PAM service name, with
	# something like:
	#
	# host all all 127.0.0.1/32 pam pamservice=postgresql
	#
	# Using that example, psql postgres -h 127.0.0.1 should ask for a password,
	# and "tea" should while "coffee" is accepted.
	#
	# A faster way to do this would be to write C code conforming to the PAM API
	# and then put it in a .so to use instead of pam_exec.so. That means that all
	# the work will be done in the PostgreSQL process without forking another
	# program. That's a bit more work, but pam_exec.so provides a nice way to get
	# started with an experiment, and write code in random convenient script
	# languages.

	import os
	import sys

	username = os.environ.get("PAM_USER")
	authtok = sys.stdin.read()

	# Do whatever you want to validate username and authtok....
	if authtok == "coffee":
	sys.exit(0)

	sys.exit(1)