A minimalist pam password auth server
This server is intended to build a secure bridge between a linux server's PAM user authentication system and any application that needs to authenticate users.
Pamserver creates a unix socket where it listens for username/password pairs encoded as JSON, like so:
{
"username": "jdoe",
"password": "topsecret"
}
The reference client is available as pamclient.
For full access to PAM, the server must be run as root.
To create a pam server that is reachable over the network, use the unix socket as a backend to an appropriately secured ssl server using e.g. stunnel.
- simplepam
$ ./pamserver.py -h
usage: pamserver.py [-h] [--config CONFIGFILE] [--sock SOCKFILE]
[--pid PIDFILE] [--syslog] [--no-syslog] [--no-pid]
optional arguments:
-h, --help show this help message and exit
--config CONFIGFILE The config file
--sock SOCKFILE Pass to customize the sockfile location
--pid PIDFILE Pass to customize the pidfile location
--syslog Pass to turn on logger to syslog
--no-syslog Pass to turn off logger to syslog
--no-pid Pass to turn off pidfile
$ ./pamclient.py -h
usage: pamclient.py [-h] sock
positional arguments:
sock the socket file
optional arguments:
-h, --help show this help message and exit
cd stunnel
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.0-rc2/EasyRSA-3.0.0-rc2.tgz
tar -xf EasyRSA-3.0.0-rc2.tgz -C easyrsa
cd easyrsa/
./easyrsa init-pki
./easyrsa build-ca
./easyrsa build-server-full server-cert
./easyrsa build-client-full client-cert
This will create certificates that will work with the stunnel example config.
- chroot implementation
- stunnel sample config
- Systemd service and init files
BSD 3-clause.