current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems.. It's 100% free, no registration required.
up vote 2 down vote favorite
1

I have an application that runs on a Linux box. The application stores all its user information (like - username, password, ssh-allowed, etc) in an sqlite3 database as follows.

username        password        ssh-allowed
admin           X               y   
regularuser     X               n

The application users will login to a GUI to use the application. But all the application users who have their ssh-allowed as y are allowed to login to the Linux box using ssh. Other application users (with ssh-allowed as n) are not allowed to login to the Linux box using ssh.

So in the above case admin user will be allowed to ssh to the Linux box but regularuser will be denied ssh access to the Linux box.

W.r.t the GUI, in order to perform authentication using PAM for user info stored in sqlite, I use libpam-sqlite. Actually, I have modified it to work with sqlite3 database and it is available here.

Now to the question: When an application user attempts to login to the Linux box, How can I perform authentication and then decide to either allow or deny ssh access based on the ssh-allowed parameter that is stored in the sqlite3 database using PAM (or any other way)?

Please NOTE: All the user info is store in the sqlite3 database only and NOT in /etc/passwd, /etc/shadow, /etc/group files. IOW the application does not have rights to add/remove records in the /etc files.

NOTE2: I had the same question posted in SO; thought this is a better forum for Linux related questions.

share|improve this question
    
You usually don't want to cross post the same Q on multiple SE sites, it's a reason for us to close it here, usually a reason on the other SE sites. You might want to pick one site and close it on the other. This site is likely the better place for it. Please go ahead and close the SO one. –  slm Feb 13 '14 at 0:45

1 Answer 1

up vote 1 down vote

pam_exec

I think you can do what you want using the PAM module pam_exec. PAM items are passed to a script that is defined to run as environment variables. Here's an example notification script that shows the variables being passed in:

Setup

#!/bin/sh
[ "$PAM_TYPE" = "open_session" ] || exit 0
# echo "User: $PAM_USER"
# echo "Ruser: $PAM_RUSER"
# echo "Rhost: $PAM_RHOST"
# echo "Service: $PAM_SERVICE"
# echo "TTY: $PAM_TTY"

result=$(sqlite3 /path/to/file.db \
    "select ssh-allow from sometable where user = \"$PAM_USER\"")

if [ "$results" == "y" ]; then
  ...login...
else
  ...no login...
fi

You then create a corresponding PAM rule like this:

session    optional     pam_exec.so /usr/local/bin/checkssh-login

A script using this approach could be crafted that could perform a look up in your sqlite database file using the user's name that was passed in as $PAM_USER. If that user is allowed to SSH in, then the script could simply drop through, otherwise it could block the user from continuing on with their login attempt.

References

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.