macdice/pam-pg-hack.py

## pam-pg-hack.py
#!/usr/bin/python3
#
# A dummy program that could be invoked by pam_exec.so, with the export_authtok
# option so that it sends the authtok to our stdin.  This file needs to be
# executable (chmod +x).
#
# To make PostgreSQL use this for authentication via PAM, make sure that it is
# configured with --with-pam (apt-get install libpam-dev first), and then
# create a file /etc/pam.d/postgresql (or other chosen service name) that
# contains the following:
#
#   auth required pam_exec.so expose_authtok /path/to/this_auth_script.py
#   account required pam_permit.so
#
# Then change pg_hba.conf to defer to the chosen PAM service name, with
# something like:
#
#   host all all 127.0.0.1/32 pam pamservice=postgresql
#
# Using that example, psql postgres -h 127.0.0.1 should ask for a password,
# and "tea" should while "coffee" is accepted.
#
# A faster way to do this would be to write C code conforming to the PAM API
# and then put it in a .so to use instead of pam_exec.so.  That means that all
# the work will be done in the PostgreSQL process without forking another
# program.  That's a bit more work, but pam_exec.so provides a nice way to get
# started with an experiment, and write code in random convenient script
# languages.

import os
import sys

username = os.environ.get("PAM_USER")
authtok = sys.stdin.read()

# Do whatever you want to validate username and authtok....
if authtok == "coffee":
	sys.exit(0)

sys.exit(1)
	#!/usr/bin/python3
	#
	# A dummy program that could be invoked by pam_exec.so, with the export_authtok
	# option so that it sends the authtok to our stdin. This file needs to be
	# executable (chmod +x).
	#
	# To make PostgreSQL use this for authentication via PAM, make sure that it is
	# configured with --with-pam (apt-get install libpam-dev first), and then
	# create a file /etc/pam.d/postgresql (or other chosen service name) that
	# contains the following:
	#
	# auth required pam_exec.so expose_authtok /path/to/this_auth_script.py
	# account required pam_permit.so
	#
	# Then change pg_hba.conf to defer to the chosen PAM service name, with
	# something like:
	#
	# host all all 127.0.0.1/32 pam pamservice=postgresql
	#
	# Using that example, psql postgres -h 127.0.0.1 should ask for a password,
	# and "tea" should while "coffee" is accepted.
	#
	# A faster way to do this would be to write C code conforming to the PAM API
	# and then put it in a .so to use instead of pam_exec.so. That means that all
	# the work will be done in the PostgreSQL process without forking another
	# program. That's a bit more work, but pam_exec.so provides a nice way to get
	# started with an experiment, and write code in random convenient script
	# languages.

	import os
	import sys

	username = os.environ.get("PAM_USER")
	authtok = sys.stdin.read()

	# Do whatever you want to validate username and authtok....
	if authtok == "coffee":
	sys.exit(0)

	sys.exit(1)