I do have a custom authentication mechanism which is written in Java. I was wondering what would be the best way to implement a Linux PAM module without rewriting the code in C?
I am aware of this list of available PAM modules but none of them are Java-related.
There s also JPam but it does the opposite thing: it allows to get user/group information to be used in Java app whereas I need to use existing Java code to authenticate users in Linux (e.g. via SSH).
Any suggestions are welcome.
You could try:
but neither of those ideas seem ideal.
Have you thought of using pam_exec?
It allows you to run a script for PAM.
e.g. You add something like the following to your PAM config:
auth sufficient pam_exec.so expose_authtok /usr/local/bin/myscript-example
Here s a simply script that echoes all the vars out, but you could just as easily have it kick off a Java program, passing the needed vars in.
Based on whether the script succeeds or errors out should control whether the auth is successful or not.
Example Script to reflect all the vars:
#!/bin/sh
read password
echo "User: $PAM_USER"
echo "Ruser: $PAM_RUSER"
echo "Rhost: $PAM_RHOST"
echo "Service: $PAM_SERVICE"
echo "TTY: $PAM_TTY"
echo "Password : $password"
exit $?
Write a C wrapper to interface with PAM and within the implementation, use JNI to invoke an instance of the JVM.
JVM launching wrappers were very popular when people still wanted to deliver "exe"s that really ran programs in JARs. You ll want to look into what s not normally done with JNI, calling a JVM from a binary executable; unfornately, most JNI instructions focus on calling C code from Java.
A good example of how to create a JVM from C code can be found here. Turning the C code module into a PAM shared object library will take a little work, but it s not likely to be too difficult.
Finally, don t forget that JNI uses and returns Java types for most of it s operations. This means you ll have to read the "C" data types (probably char*) and create Java strings prior to passing them into your JVM. The same is true in reverse for receiving information from Java and passing it back to the PAM libraries.
Good luck!
You can actually get Java to talk to a C stub that in-turn connects to the PAM callbacks. Read up on JNI (Java Native Interface). Mostly JNI is used to expose C to Java, but you can actually do it the other way around. You may also want to investigate GNU CNI as it s actually more convenient to use. There are a lot of resources listed at the Wikipedia JNI page
http://jaas-pam.sourceforge.net/
It does user authentication and works with Tomcat s jaas realm, but returns no group/role info, so no role based web auth.
Hi have this j2ee web application developed using spring framework. I have a problem with rendering mnessages in nihongo characters from the properties file. I tried converting the file to ascii using ...
Check this, List<String> list = new ArrayList<String>(); for (int i = 0; i < 10000; i++) { String value = (""+UUID.randomUUID().getLeastSignificantBits()).substring(3, ...
I am in the middle of solving a problem where I think it s best suited for a decorator and a state pattern. The high level setting is something like a sandwich maker and dispenser, where I have a set ...
I have been trying to execute a MS SQL Server stored procedure via JDBC today and have been unsuccessful thus far. The stored procedure has 1 input and 1 output parameter. With every combination I ...
I have a system which contains multiple applications connected together using JMS and Spring Integration. Messages get sent along a chain of applications. [App A] -> [App B] -> [App C] We set a ...
If I m given two Java Libraries in Jar format, 1 having no bells and whistles, and the other having lots of them that will mostly go unused.... my question is: How will the larger, mostly unused ...
I have a Class variable that holds a certain type and I need to get a variable that holds the corresponding array class. The best I could come up with is this: Class arrayOfFooClass = java.lang....
I m working on a Java desktop application that reads and writes from/to different files. I think a better solution would be to replace the file system by a SQLite database. How hard is it to migrate ...