salt.auth.pam#
Authenticate against PAM
Provides an authenticate function that will allow the caller to authenticate a user against the Pluggable Authentication Modules (PAM) on the system.
Implemented using ctypes, so no compilation is necessary.
There is one extra configuration option for pam. The pam_service that is authenticated against. This defaults to login
auth.pam.service: login
Note
Solaris-like (SmartOS, OmniOS, ...) systems may need auth.pam.service set to other.
Note
PAM authentication will not work for the root user.
The Python interface to PAM does not support authenticating as root.
Note
This module executes itself in a subprocess in order to user the system python and pam libraries. We do this to avoid openssl version conflicts when running under a salt onedir build.
Note
Running salt-master as a non-root user (the 3006.x packaging
default is the salt user) and using PAM eauth requires extra
privileges so that PAM's unix_chkpwd helper can validate other
users' passwords. unix_chkpwd refuses to authenticate users other
than the caller unless the caller can read /etc/shadow. The two
standard remediations are:
Debian-derived distributions: add the master's user to the
shadowgroup (e.g.usermod -a -G shadow salt) so the master process can read/etc/shadowindirectly via the setgid-shadowunix_chkpwdhelper.RPM-based distributions: revert the master to run as
root(user: rootin/etc/salt/master);/etc/shadowcannot be made readable to a non-root group safely there.
When PAM auth fails and the master is running as a non-root user
without /etc/shadow access, a CRITICAL log entry naming the cause
and the two remediations is emitted (once per process). See
https://github.com/saltstack/salt/issues/64275 for the full
discussion.
- class salt.auth.pam.PamConv#
Wrapper class for pam_conv structure
- appdata_ptr#
Structure/Union member
- conv#
Structure/Union member
- class salt.auth.pam.PamMessage#
Wrapper class for pam_message structure
- msg#
Structure/Union member
- msg_style#
Structure/Union member
- class salt.auth.pam.PamResponse#
Wrapper class for pam_response structure
- resp#
Structure/Union member
- resp_retcode#
Structure/Union member
- salt.auth.pam.auth(username, password, **kwargs)#
Authenticate via pam
- salt.auth.pam.authenticate(username, password)#
Returns True if the given username and password authenticate for the given service. Returns False otherwise
username: the username to authenticatepassword: the password in plain text
- salt.auth.pam.groups(username, *args, **kwargs)#
Retrieve groups for a given user for this auth provider
Uses system groups