This modifies pam_exec to export PAM_AUTHTOK. This is the password that has been passed to pam. My reasons for starting work on this is things that require a password to perform can happen. My purpose for creating this to allow mounting of a users samba home directory from a script using pam_exec. In regards to mount_smbfs, I will be needing to do some work to allow a password to be specified by a specified enviromental variable. This includes a updated for the man file as well that notes the new environmental variable. tested on releng_6, but should work perfectly well on 7 as what is being changed is exactly the same on both versions.... How-To-Repeat: 1: don't apply patch yet... 2: 3: touch /etc/pam.d/test 4: do what ever to the test servuce, but make sure it has this line "auth sufficient pam_exec.so /tmp/pam-test" 5: put this in /tmp/pam-test #!/bin/sh /usr/bin/env > /tmp/pam-test 6: download http://vvelox.net/src/perl/pam-pwcheck 7: setenv PAMPWCHECKuser user 8: setenv PAMPWCHECKpass password 9: ./pam-pwcheck -s test 10 cat /tmp/pam-test and notice PAM_AUTHTOK is not present 11: apply diffs 12: rerun 9 and notice /tmp/pam-test now contains PAM_AUTHTOK=password 13: enjoy
Passing authentication tokens through environment variables or command line arguments is considered poor security practice. It would be a better idea to add an option that tells pam_exec(8) to pipe PAM_AUTHTOK and / or PAM_OLDAUTHTOK to the program's standard input.