# python-pam
Python pam module supporting py3 (and py2) for Linux type systems (!windows)
Commandline example:
```bash
[david@Scott python-pam]$ python pam/pam.py
Username: david
Password:
Auth result: Success (0)
Pam Environment List item: XDG_SEAT=seat0
Pam Environment item: XDG_SEAT=seat0
Missing Pam Environment item: asdf=None
Open session: Success (0)
Close session: Success (0)
```
Inline examples:
```python
[david@Scott python-pam]$ python
Python 3.9.7 (default, Oct 10 2021, 15:13:22)
[GCC 11.1.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pam
>>> p = pam.authenticate()
>>> p.authenticate('david', 'correctpassword')
True
>>> p.authenticate('david', 'badpassword')
False
>>> p.authenticate('david', 'correctpassword', service='login')
True
>>> p.authenticate('david', 'correctpassword', service='unknownservice')
False
>>> p.authenticate('david', 'correctpassword', service='login', resetcreds=True)
True
>>> p.authenticate('david', 'correctpassword', encoding='latin-1')
True
>>> print('{} {}'.format(p.code, p.reason))
0 Success
>>> p.authenticate('david', 'badpassword')
False
>>> print('{} {}'.format(p.code, p.reason))
7 Authentication failure
>>>
```
## Authentication and privileges
Please note, python-pam and *all* tools that do authentication follow two rules:
* You have root (or privileged access): you can check any account's password for validity
* You don't have root: you can only check the validity of the username running the tool
If you need to authenticate multiple users, you must use an authentication stack that at some stage has privileged access. On Linux systems one example of doing this is using SSSD.
Typical Linux installations check against `/etc/shadow` with `pam_unix.so` which will spawn `/usr/bin/unix_chkpwd` to verify the password. Both of these are intentionally written to meet the above two rules. You can test the functionality of `unix_chkpwd` in the following manner:
Replace `good` with the correct password, replace `david` with your appropriate username.
```
~$ mkfifo /tmp/myfifo
~$ (echo -ne 'good\0' > /tmp/myfifo & /usr/bin/unix_chkpwd david nullok < /tmp/myfifo ) ; echo $?
0
~$ (echo -ne 'bad\0' > /tmp/myfifo & /usr/bin/unix_chkpwd david nullok < /tmp/myfifo ) ; echo $?
7
~$ (echo -ne 'good\0' > /tmp/myfifo & /usr/bin/unix_chkpwd someotheruser nullok < /tmp/myfifo ) ; echo $?
9
```
Raw data
{
"_id": null,
"home_page": "https://github.com/FirefighterBlu3/python-pam",
"name": "python-pam",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "",
"author": "David Ford",
"author_email": "david@blue-labs.org",
"download_url": "https://files.pythonhosted.org/packages/6a/da/879f1c849e886b783239b8a4710daac73535ba2cfcf672ee4548543e3a74/python-pam-2.0.2.tar.gz",
"platform": null,
"description": "# python-pam\n\nPython pam module supporting py3 (and py2) for Linux type systems (!windows)\n\nCommandline example:\n\n```bash\n[david@Scott python-pam]$ python pam/pam.py\nUsername: david\nPassword:\nAuth result: Success (0)\nPam Environment List item: XDG_SEAT=seat0\nPam Environment item: XDG_SEAT=seat0\nMissing Pam Environment item: asdf=None\nOpen session: Success (0)\nClose session: Success (0)\n```\n\nInline examples:\n\n```python\n[david@Scott python-pam]$ python\nPython 3.9.7 (default, Oct 10 2021, 15:13:22)\n[GCC 11.1.0] on linux\nType \"help\", \"copyright\", \"credits\" or \"license\" for more information.\n>>> import pam\n>>> p = pam.authenticate()\n>>> p.authenticate('david', 'correctpassword')\nTrue\n>>> p.authenticate('david', 'badpassword')\nFalse\n>>> p.authenticate('david', 'correctpassword', service='login')\nTrue\n>>> p.authenticate('david', 'correctpassword', service='unknownservice')\nFalse\n>>> p.authenticate('david', 'correctpassword', service='login', resetcreds=True)\nTrue\n>>> p.authenticate('david', 'correctpassword', encoding='latin-1')\nTrue\n>>> print('{} {}'.format(p.code, p.reason))\n0 Success\n>>> p.authenticate('david', 'badpassword')\nFalse\n>>> print('{} {}'.format(p.code, p.reason))\n7 Authentication failure\n>>>\n```\n\n## Authentication and privileges\nPlease note, python-pam and *all* tools that do authentication follow two rules:\n\n* You have root (or privileged access): you can check any account's password for validity\n* You don't have root: you can only check the validity of the username running the tool\n\nIf you need to authenticate multiple users, you must use an authentication stack that at some stage has privileged access. On Linux systems one example of doing this is using SSSD.\n\nTypical Linux installations check against `/etc/shadow` with `pam_unix.so` which will spawn `/usr/bin/unix_chkpwd` to verify the password. Both of these are intentionally written to meet the above two rules. You can test the functionality of `unix_chkpwd` in the following manner:\n\nReplace `good` with the correct password, replace `david` with your appropriate username.\n\n```\n~$ mkfifo /tmp/myfifo\n\n~$ (echo -ne 'good\\0' > /tmp/myfifo & /usr/bin/unix_chkpwd david nullok < /tmp/myfifo ) ; echo $?\n0\n\n~$ (echo -ne 'bad\\0' > /tmp/myfifo & /usr/bin/unix_chkpwd david nullok < /tmp/myfifo ) ; echo $?\n7\n\n~$ (echo -ne 'good\\0' > /tmp/myfifo & /usr/bin/unix_chkpwd someotheruser nullok < /tmp/myfifo ) ; echo $?\n9\n```\n\n\n",
"bugtrack_url": null,
"license": "License :: OSI Approved :: MIT License",
"summary": "Python PAM module using ctypes, py3",
"version": "2.0.2",
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "9b2d9fbb3bd686a474d76fbd0b79abdcc016f3da760b1d1c2048bf4c611a4939",
"md5": "4b9adc75fa9638b7e8dd62f311f1bbc0",
"sha256": "4ac51dd8953ac59aa45505882b565eef6a22e0423dcf25d63369902080416c20"
},
"downloads": -1,
"filename": "python_pam-2.0.2-py3-none-any.whl",
"has_sig": false,
"md5_digest": "4b9adc75fa9638b7e8dd62f311f1bbc0",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 10658,
"upload_time": "2022-03-18T00:32:07",
"upload_time_iso_8601": "2022-03-18T00:32:07.802785Z",
"url": "https://files.pythonhosted.org/packages/9b/2d/9fbb3bd686a474d76fbd0b79abdcc016f3da760b1d1c2048bf4c611a4939/python_pam-2.0.2-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "6ada879f1c849e886b783239b8a4710daac73535ba2cfcf672ee4548543e3a74",
"md5": "1ee6201b3a696d3e022d67643547496c",
"sha256": "97235235ba9b82dbae8068d1099508455949b275f77273ca22fdbd8b1fb5d950"
},
"downloads": -1,
"filename": "python-pam-2.0.2.tar.gz",
"has_sig": false,
"md5_digest": "1ee6201b3a696d3e022d67643547496c",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 11439,
"upload_time": "2022-03-18T00:32:09",
"upload_time_iso_8601": "2022-03-18T00:32:09.856609Z",
"url": "https://files.pythonhosted.org/packages/6a/da/879f1c849e886b783239b8a4710daac73535ba2cfcf672ee4548543e3a74/python-pam-2.0.2.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2022-03-18 00:32:09",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "FirefighterBlu3",
"github_project": "python-pam",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "six",
"specs": []
},
{
"name": "toml",
"specs": []
}
],
"lcname": "python-pam"
}