salt.auth.pam#

Authenticate against PAM

Provides an authenticate function that will allow the caller to authenticate a user against the Pluggable Authentication Modules (PAM) on the system.

Implemented using ctypes, so no compilation is necessary.

There is one extra configuration option for pam. The pam_service that is authenticated against. This defaults to login

auth.pam.service: login

Note

Solaris-like (SmartOS, OmniOS, ...) systems may need auth.pam.service set to other.

Note

PAM authentication will not work for the root user.

The Python interface to PAM does not support authenticating as root.

Note

This module executes itself in a subprocess in order to user the system python and pam libraries. We do this to avoid openssl version conflicts when running under a salt onedir build.

Note

Running salt-master as a non-root user (the 3006.x packaging default is the salt user) and using PAM eauth requires extra privileges so that PAM's unix_chkpwd helper can validate other users' passwords. unix_chkpwd refuses to authenticate users other than the caller unless the caller can read /etc/shadow. The two standard remediations are:

  1. Debian-derived distributions: add the master's user to the shadow group (e.g. usermod -a -G shadow salt) so the master process can read /etc/shadow indirectly via the setgid-shadow unix_chkpwd helper.

  2. RPM-based distributions: revert the master to run as root (user: root in /etc/salt/master); /etc/shadow cannot be made readable to a non-root group safely there.

When PAM auth fails and the master is running as a non-root user without /etc/shadow access, a CRITICAL log entry naming the cause and the two remediations is emitted (once per process). See https://github.com/saltstack/salt/issues/64275 for the full discussion.

class salt.auth.pam.PamConv#

Wrapper class for pam_conv structure

appdata_ptr#

Structure/Union member

conv#

Structure/Union member

class salt.auth.pam.PamHandle#

Wrapper class for pam_handle_t

handle#

Structure/Union member

class salt.auth.pam.PamMessage#

Wrapper class for pam_message structure

msg#

Structure/Union member

msg_style#

Structure/Union member

class salt.auth.pam.PamResponse#

Wrapper class for pam_response structure

resp#

Structure/Union member

resp_retcode#

Structure/Union member

salt.auth.pam.auth(username, password, **kwargs)#

Authenticate via pam

salt.auth.pam.authenticate(username, password)#

Returns True if the given username and password authenticate for the given service. Returns False otherwise

username: the username to authenticate

password: the password in plain text

salt.auth.pam.groups(username, *args, **kwargs)#

Retrieve groups for a given user for this auth provider

Uses system groups