PAM_Python实现SSH 因子认证 Python3 版本

Pam_Python 暂时只能完美的适配Python2的版本。在Python3版本下。安装成了问题。

环境：Centos8.3

Python版本：Python3.6 

需要安装PAM 的开发环境

yum install pam-devel -y

下载Pam_python 1.8 

wget https://nchc.dl.sourceforge.net/project/pam-python/pam-python-1.0.8-1/pam-python-1.0.8.tar.gz

tar zxvf pam-python-1.0.8.tar.gz 

cd pam-python-1.0.8

第一个错误:

[root@localhost pam-python-1.0.8]# make  lib
make --directory src
make[1]: Entering directory '/root/pam-python-1.0.8/src'
gcc -O0 -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -g -o ctest ctest.c -lpam
CFLAGS=" -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -I/usr/local/lib/ " ./setup.py build --debug
/bin/sh: ./setup.py: /usr/bin/python2: bad interpreter: No such file or directory
make[1]: *** [Makefile:11: pam_python.so] Error 126
make[1]: Leaving directory '/root/pam-python-1.0.8/src'
make: *** [Makefile:6: lib] Error 2

修改src/setup.py【修改成python3的头】路径可以自定义。

#!/usr/bin/python2 -W default  修改为#!/usr/bin/python3 -W default

第二个报错

[root@localhost pam-python-1.0.8]# make lib 
make --directory src
make[1]: Entering directory '/root/pam-python-1.0.8/src'
gcc -O0 -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -g -o ctest ctest.c -lpam
CFLAGS=" -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -I/usr/local/lib/ " ./setup.py build --debug
/usr/lib/python3.6/site-packages/setuptools/depends.py:2: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
  import imp
running build
running build_ext
building 'pam_python' extension
creating build
creating build/temp.linux-x86_64-3.6
gcc -pthread -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -D_GNU_SOURCE -fPIC -fwrapv -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -I/usr/local/lib/ -fPIC -g -DLIBPYTHON_SO="libpython3.6m.so.1.0" -I/usr/include/python3.6m -c pam_python.c -o build/temp.linux-x86_64-3.6/pam_python.o
pam_python.c:43:10: fatal error: Python.h: No such file or directory
 #include <Python.h>
          ^~~~~~~~~~
compilation terminated.
error: command 'gcc' failed with exit status 1
make[1]: *** [Makefile:11: pam_python.so] Error 1
make[1]: Leaving directory '/root/pam-python-1.0.8/src'
make: *** [Makefile:6: lib] Error 2x

安装python36 的开发包

yum install python36-devel 

第三个报错

[root@localhost pam-python-1.0.8]# make lib
make --directory src
make[1]: Entering directory '/root/pam-python-1.0.8/src'
gcc -O0 -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -g -o ctest ctest.c -lpam
CFLAGS=" -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -I/usr/local/lib/ " ./setup.py build --debug
/usr/lib/python3.6/site-packages/setuptools/depends.py:2: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
  import imp
running build
running build_ext
building 'pam_python' extension
creating build
creating build/temp.linux-x86_64-3.6
gcc -pthread -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -D_GNU_SOURCE -fPIC -fwrapv -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -I/usr/local/lib/ -fPIC -g -DLIBPYTHON_SO="libpython3.6m.so.1.0" -I/usr/include/python3.6m -c pam_python.c -o build/temp.linux-x86_64-3.6/pam_python.o
pam_python.c: In function ‘syslog_path_exception’:
pam_python.c:437:7: error: implicit declaration of function ‘PyClass_Check’; did you mean ‘PyFloat_Check’? [-Werror=implicit-function-declaration]
   if (PyClass_Check(ptype))
       ^~~~~~~~~~~~~
       PyFloat_Check
pam_python.c: In function ‘PamEnv_mp_assign’:
pam_python.c:107:26: error: implicit declaration of function ‘PyUnicode_Size’; did you mean ‘PyUnicode_Find’? [-Werror=implicit-function-declaration]
 #define Py23_String_Size PyUnicode_Size
                          ^~~~~~~~~~~~~~
pam_python.c:1172:24: note: in expansion of macro ‘Py23_String_Size’
     value_str = malloc(Py23_String_Size(key) + 1 + Py23_String_Size(value) + 1);
                        ^~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
error: command 'gcc' failed with exit status 1
make[1]: *** [Makefile:11: pam_python.so] Error 1
make[1]: Leaving directory '/root/pam-python-1.0.8/src'

修改pam_python.c 437 行

  //if (PyClass_Check(ptype))
  if (PyFloat_Check(ptype))

和修改pam_python.c 107行

//#define	Py23_String_Size	PyUnicode_Size
#define	Py23_String_Size	PyBytes_Size

第四个报错

[root@localhost pam-python-1.0.8]# make lib
make --directory src
make[1]: Entering directory '/root/pam-python-1.0.8/src'
gcc -O0 -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -g -o ctest ctest.c -lpam
CFLAGS=" -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -I/usr/local/lib/ " ./setup.py build --debug
/usr/lib/python3.6/site-packages/setuptools/depends.py:2: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
  import imp
running build
running build_ext
building 'pam_python' extension
creating build
creating build/temp.linux-x86_64-3.6
gcc -pthread -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -D_GNU_SOURCE -fPIC -fwrapv -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -I/usr/local/lib/ -fPIC -g -DLIBPYTHON_SO="libpython3.6m.so.1.0" -I/usr/include/python3.6m -c pam_python.c -o build/temp.linux-x86_64-3.6/pam_python.o
creating build/lib.linux-x86_64-3.6
gcc -pthread -shared -Wl,-z,relro -Wl,-z,now -g -Wl,-z,relro -Wl,-z,now -g -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -I/usr/local/lib/ -g build/temp.linux-x86_64-3.6/pam_python.o -L/usr/lib64 -lpam -lpython3.6 -lpython3.6m -o build/lib.linux-x86_64-3.6/pam_python.cpython-36m-x86_64-linux-gnu.so
/usr/bin/ld: cannot find -lpython3.6
collect2: error: ld returned 1 exit status
error: command 'gcc' failed with exit status 1
make[1]: *** [Makefile:11: pam_python.so] Error 1
make[1]: Leaving directory '/root/pam-python-1.0.8/src'
make: *** [Makefile:6: lib] Error 2

缺少 libpython3.6.so 文件

文件路径在/usr/lib64/libpython3.6m.so.1.0

直接复制一个即可

cp -p /usr/lib64/libpython3.6m.so.1.0 /usr/lib64/libpython3.6.so

最终编译成功

[root@localhost pam-python-1.0.8]# make lib
make --directory src
make[1]: Entering directory '/root/pam-python-1.0.8/src'
gcc -O0 -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -g -o ctest ctest.c -lpam
CFLAGS=" -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -I/usr/local/lib/ " ./setup.py build --debug
/usr/lib/python3.6/site-packages/setuptools/depends.py:2: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
  import imp
running build
running build_ext
building 'pam_python' extension
creating build
creating build/temp.linux-x86_64-3.6
gcc -pthread -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -D_GNU_SOURCE -fPIC -fwrapv -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -I/usr/local/lib/ -fPIC -g -DLIBPYTHON_SO="libpython3.6m.so.1.0" -I/usr/include/python3.6m -c pam_python.c -o build/temp.linux-x86_64-3.6/pam_python.o
creating build/lib.linux-x86_64-3.6
gcc -pthread -shared -Wl,-z,relro -Wl,-z,now -g -Wl,-z,relro -Wl,-z,now -g -Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror -I/usr/local/lib/ -g build/temp.linux-x86_64-3.6/pam_python.o -L/usr/lib64 -lpam -lpython3.6 -lpython3.6m -o build/lib.linux-x86_64-3.6/pam_python.cpython-36m-x86_64-linux-gnu.so
ln -sf build/lib.*/pam_python.so .
sed "s,\\\$PWD,$(pwd),g" "test-pam_python.pam.in" >"test-pam_python.pam.tmp" 
mv test-pam_python.pam.tmp test-pam_python.pam
make[1]: Leaving directory '/root/pam-python-1.0.8/src'

so文件在

src/build/lib.linux-x86_64-3.6/pam_python.cpython-36m-x86_64-linux-gnu.so

复制到/usr/lib64/security 目录下

修改SSH配置文件

sed -i 's#^ChallengeResponseAuthentication no#ChallengeResponseAuthentication yes#' /etc/ssh/sshd_config

然后随便写一个python 进行验证。 /tmp/auth.py  随便输出了一个test!!!

def pam_sm_authenticate(pamh, flags, argv):

    msg = pamh.Message(pamh.PAM_ERROR_MSG, "test!!!!!!!!!!!!!")
    pamh.conversation(msg)
    return  pamh.PAM_SUCCESS

def pam_sm_setcred(pamh, flags, argv):
    return pamh.PAM_SUCCESS

def pam_sm_acct_mgmt(pamh, flags, argv):
    return pamh.PAM_SUCCESS

def pam_sm_open_session(pamh, flags, argv):
    return pamh.PAM_SUCCESS

def pam_sm_close_session(pamh, flags, argv):
    return pamh.PAM_SUCCESS

def pam_sm_chauthtok(pamh, flags, argv):
    return pamh.PAM_SUCCESS

然后设置pam的配置文件

echo 'auth    requisite   pam_python.cpython-36m-x86_64-linux-gnu.so /tmp/auth.py' >> /etc/pam.d/sshd

重启一下ssh 进行测试

systemctl restart sshd

测试效果

参考：https://sourceforge.net/p/pam-python/tickets/5/