谁能告诉我这个... 我想创建一个类似于 /etc/pam.d 中的登录模块的 pam 模块
如果您在登录期间寻找基于 pam 的人脸身份验证,您需要编写一个模块来为您执行此操作,并将其插入位于 /etc/pam.d/login 的登录配置文件中。
在直接进入本文之前,我建议您编写一些简单的模块来了解 PAM 的流程、工作和配置文件,例如开始使用 sshd pam 配置文件并尝试插入一些可用的示例 pam 模块。我发现这些文章很有帮助:
http://aplawrence.com/Basics/understandingpam.html
https://www.packtpub.com/article/development-with-pluggable-authentication-modules-pam
仅供参考:Rohan Anil 在 GSOC08 期间在 opensuse 下开发了 pam-face-authentication,托管于 code.google.com/p/pam-face-authentication/
由于答案实在是太长了,所以我可以给你链接我的 PAM 教程: 编写 Linux PAM 模块 以及 Linux PAM 配置教程
在开始编写模块之前,我建议您先阅读配置教程,您可以在其中了解该模块的作用。
总而言之,模块是应用程序想要进行身份验证时由 PAM 加载的共享对象。每次应用程序触发一个“阶段”(身份验证、帐户、会话、密码)时,都会在模块中调用相应的函数。因此,您的模块应该提供以下功能:
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *handle, int flags, int argc, const char **argv){
/* In this function we will ask the username and the password with pam_get_user()
* and pam_get_authtok(). We will then decide if the user is authenticated */
}
PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* In this function we check that the user is allowed in the system. We already know
* that he's authenticated, but we could apply restrictions based on time of the day,
* resources in the system etc. */
}
PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* We could have many more information of the user other then password and username.
* These are the credentials. For example, a kerberos ticket. Here we establish those
* and make them visible to the application */
}
PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* When the application wants to open a session, this function is called. Here we should
* build the user environment (setting environment variables, mounting directories etc) */
}
PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* Here we destroy the environment we have created above */
}
PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv){
/* This function is called to change the authentication token. Here we should,
* for example, change the user password with the new password */
}
在此功能中,您将使用 PAM 功能从应用程序中检索用户名和密码。这是通过必须在应用程序中定义的对话函数来实现的(请参阅本教程)。在每个函数的末尾,您必须返回一个确定结果的 PAM 返回代码(有关 PAM 错误代码,请参阅 this 和模块 writer 文档一般)。