I am trying to create a custom PAM module, where I check amount of sessions a user has and if the user has the right permissions offer him to kill a session, I am trying to give the user a prompt with a list of sessions and offer to kill one of them.
But if try to call pam_prompt(…) inside pam_sm_open_session where all other logic is implemented, I just get conversation failed error. I have tried calling pam_prompt also from pam_sm_authenticate, and there it worked.
Example:
/* PAM entry point for session creation */
DLL_EXPORT int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
const char *user;
res = pam_get_user(pamh, &user, NULL);
if (res != PAM_SUCCESS || user == NULL)
{
return PAM_USER_UNKNOWN;
}
// get user session and permissions
if (num_sessions > MAX_ALLOWED_SESSIONS_PER_USER)
{
if (user_has_permissions)
{
char *session_id;
pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &session_id, "...", ...);
if (!strcmp(session_id, "exit"))
{
return PAM_SESSION_ERR;
}
else
{
// kill session
return PAM_SUCCESS;
}
}
else
{
return PAM_SESSION_ERR;
}
}
else
{
return PAM_SUCCESS;
}
}
I have tried adding pam_authenticate and pam_open_session calls before prompting but they both resulted in an error.
For a test I have also tried pam_prompt(pamh, PAM_TEXT_INFO, NULL, "..."); and that resulted in successful execution, but nothing was printed out.
You need to sign in to view this answers
Leave feedback about this