New version of my hint.

Stef Bon stef at bononline.nl
Sun Jan 15 13:37:03 PST 2006


Hello,

I've changed the name of my hint: 

execute-session-scripts-using-kdm-and-pam.txt

Now it uses KDM and PAM together.

PAM only to get the credentials,
KDM to execute scripts at begin and end of session

I've skipped all the examples which I will add later apart.

Stef
-------------- next part --------------
AUTHOR: Stef Bon <stef at bononline dot nl>

DATE: 2006-01-15

LICENSE: GNU Free Documentation License Version 1.2

SYNOPSIS: Execute scripts at begin and end of a KDE-session using KDM and PAM.

DESCRIPTION:

This hint is about the ability to execute scripts when a KDE session starts 
and when it stops. 

Earlier I wrote a hint about this using PAM, with the help of the module pam_script. 
I discovered that PAM is not the best place to do so. PAM is not the place to start 
scripts, KDM is. KDM provides a very easy way via the Xstartup and Xreset files to 
execute scripts. PAM has the abilty to do something with the credentials provided 
at login, with the help of a module called pam_script. 

I'm trying to combine those two.


warning:

I use PAM and a module called pam_script to store the credentials provided at
login (the username and the password!!) for authentication against SMB servers, when 
mounting shares.
This looks a little bit like Single Sign On, but it isn't!! The credentials are stored in 
a subdirectory of the homedir (~/.cifs/mount.cifs.conf), with enough security at runtime.
But somebody can still find them being root, or with a LiveCD. The credentials are stored
plaintext, no encryption!!

So, this should never be used in an environment where you can't trust your users!


ATTACHMENTS:


PREREQUISITES:
This hint requires sufficient knowledge of LINUX in general, and scripts in particular.

HINT:

Content:
1. KDM: the files
2. PAM: the files
2.1 Installation of pam_script
2.2 Adjusting pam configuration
2.3 Creating the onauth script


1. KDM: the files
-----------------

KDM uses some files to start and stop:

. Xstartup 
run as root, after a user succesfully logs in. 

. Xsession
runs with permissions of the authorized user, to start the desired session (KDE).

. Xreset
run as root, after the user session has ended.

Where Xstartup is the place to start things up, Xreset is the place to undo these commands.

For more information about these files look at the handbook of KDM.

By adding the following code to the Xstartup file:


-- snip --

for script in /etc/session.d/kdm/startup/*.sh; do

	if [ -x $script ]; then
	
		eval $script $USER

	fi;

done;


and the code to the Xreset file:


-- snip --

for script in /etc/session.d/kdm/reset/*.sh; do

	if [ -x $script ]; then
	
		eval $script $USER

	fi;

done;


Create the directories where the scripts go:

install -m755 -d /etc/session.d/kdm/startup
install -m755 -d /etc/session.d/kdm/reset

The files in these directories must be accessible for every ordinary user: 
therefore the permissions are 755. 
Al scripts in these directories should have the same permissions: 755.

Every user should be able to execute the script, but only root is able to modify 
them.


2. PAM: the files
-----------------

My version of PAM is 0.80. 
I using pam-script to make credentials provided at login available for password
sensitive programs like mount.cifs and fusesmb. If this is not what you want, skip 
this section. 
Also be aware of the "danger" of this construction, as already stated in the 
DESCRIPTION.


2.1 installation of pam_script
------------------------------

Get the module pam_script from http://freshmeat.net/projects/pam_script. 
I'm using version 0.1.6.

unpack:

tar -xzf pam-script-*.tar.gz

compile and move to the proper place:

cd pam-script-*

make
mv pam_script.so /lib/security
chown root:root /lib/security/pam_script.so
chmod 755 /lib/security/pam_script.so


2.2 Adjusting pam configuration
-------------------------------


Adjusting the /etc/pam.d/login file:


Pam_script has the ability (from version 0.1.5) to get the password provided at login, 
and make this available via an environmentvariable PAM_AUTHTOK to scripts. 
Insert it in the authpart:

-- snip --

auth		required	pam_shells.so
auth		required	pam_script.so expose=1
auth		sufficient	pam_unix.so use_first_apss
auth		required	pam_ldap.so use_first_pass


When using other ways for users to login than the standard, like a X-based login as kdm,
adjust them the same way. On my machine I login frequently in with kdm, and that uses the 
kde-service, which is a symlink to the login-service:

cd /etc/pam.d

lrwxrwxrwx   1 root root    5 2005-07-11 13:59 kde -> login
lrwxrwxrwx   1 root root    5 2005-07-11 13:59 kde-np -> login
-rw-r--r--   1 root root  931 2005-07-19 13:20 login


Notes:

- the pam_script.so uses some parameters. All of them are described in the README in the
source directory.
I use expose=1 in the autpart because I want the password to be used by fusesmb and mount.cifs.


2.3 Creating the onauth script
------------------------------


The pam_script works with two standard scripts, onsessionopen and onsessionclose in the
/etc/security directory. 


cat >> /etc/security/onauth << "EOF"
#!/bin/bash

userid=$1
service=$2
userproperties=$(getent passwd | grep -E "^$userid")

if [ -z "$userproperties" ]; then

    #
    # userproperties not found: something wrong
    #

    echo "User not found."
    exit

fi;

homedir=$(echo $userproperties | cut -d ":" -f 6);
gidnr=$(echo $userproperties | cut -d ":" -f 4);
uidnr=$(echo $userproperties | cut -d ":" -f 3);

nrusers=$(w -h $userid | wc -l);

if [ $nrusers -eq 0 ]; then

    if [ -d /etc/session.d/pam ]; then

	for script in /etc/session.d/pam/onauth/*.sh; do
	
	    if [ -x $script ]; then

		eval $script $userid $service $PAM_AUTHTOK

	    fi;
	done;
	
    fi;

fi;

exit 0

EOF

chown root:root /etc/security/onauth
chmod 755 /etc/security/onauth


Create the following directories:

mkdir -p /etc/session.d/pam/onauth

Here is where the scripts will go.


Notes:

-  as you can see I use the command "w" to determine the users logged in. 
Other utilities as who, users and last gave not reliable information. It 
looks as if the utmp file is not always presenting the right values. 
Utilities as who,users and last show information from utmp without any check, so 
they inherit the faults. 'w' does some extra checking, which makes it more 
usable. 
Other pammodules, like pam_mount, have other ways to keep track of the amount of logins 
per user. With pam_mount a seperate file (/var/run/pam_mount/$userid) is created for
this purpose.
Anyone knowing a better way to determine how many times a user is logged 
in, please let me know.

- I choose to execute the script only when it's the first time a user logs in.
It's also possible to leave that to the scripts (in /etc/session.d/pam/).

- pam_script is able to execute scripts when a sessions starts, and when is ends 
(pam_script calls it onsessionopen and onsessionclose). 
I've used this, but not anymore. These scripts I now put in /etc/session.d/kdm/startup and 
/etc/session.d/kdm/reset.



ACKNOWLEDGEMENTS:
  * Thanks to the author of pam_script, Izak Burger, for his module and 
    some usefull hints.

CHANGELOG:
[2006-01-15]
  * Initial hint.


More information about the hints mailing list