问题描述
(找到下面附加的代码)我正在尝试更改 Ubuntu 系统中 SSH 的身份验证机制,以使用基于零知识证明的身份验证而不是普通的用户名密码。我正在尝试以 this git repo 中提供的工作为基础,并减轻其中的一些漏洞。它使用 /lib/x86_64-linux-gnu/security 中名为“pam_schnorr.so”的共享对象文件,该文件将 PAM_SUCCESS 或 PAM_IGnorE 返回给 ssh 进程并相应地授予身份验证。
pam_schnorr.so 使用 system() 命令运行 python3 文件“attempt.py”。依次尝试.py 使用jpype 运行一些java 代码(在一些计算后将y/n 写入output.txt)。 我面临的问题是 system() 命令无法成功运行尝试.py,因为返回的 WEXITSTATUS 为 1。这些是我迄今为止尝试过的一些组合 -
- 我能够在 test.c 中使用 system() 命令成功运行尝试.py 文件,该命令与 pam_schnorr.so 位于同一文件夹中
- 我能够通过终端成功运行 try.py
- 我能够通过 pam_schnorr.so 中的 system() 命令运行一个简单的 python 文件 test.py
- 如果我注释掉 import jpype 和其他与 jpype 相关的语句,我可以通过 pam_schnorr.so 中的 system() 运行尝试.py
因此,我得出的结论是,问题可能出在通过 .so 文件中的 system() 运行时尝试在 try.py 中运行 jpype 语句。
我用来从 pam_schnorr.c 生成 pam_schnorr.so 的命令是 -
$sudo gcc -c -fPIC pam_schnorr.c -o new_pam_schnorr.o
$sudo gcc new_pam_schnorr.o -shared -o pam_schnorr.so
我不确定问题到底是什么,但从 pam_schnorr.so 运行尝试.py 对于身份验证过程至关重要。对此的任何帮助表示赞赏
尝试.py
import jpype
import sys
import traceback
def main(a,b,c,d,e,f,g,h,i):
classpath = "-Djava.class.path=%s" % "/home/madhav/Downloads/6857-PasswordManager/out/production/6.857_ZKPassword/"
jpype.startJVM("/usr/lib/jvm/java-11-openjdk-amd64/lib/server/libjvm.so",classpath)
Main = jpype.JPackage("sixeightfiveseven").Main
Main.main([a,i])
if __name__ == "__main__":
# expect 9 arguments
a = sys.argv[1]
b = sys.argv[2]
c = sys.argv[3]
d = sys.argv[4]
e = sys.argv[5]
f = sys.argv[6]
g = sys.argv[7]
h = sys.argv[8]
i = sys.argv[9]
main(a,i)
test.c // 返回的 WEXITSTATUS 为 0(成功)
#include <stdio.h>
#include <gmp.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/wait.h>
void main(){
FILE *f = fopen("/home/madhav/Desktop/debug.txt","w+");
int status = system("sudo python3 /lib/x86_64-linux-gnu/security/attempt.py"); //providing the reqd arguments for attempt.py
fprintf(f,"\nSTATUS: %d",WEXITSTATUS(status));
if (status != 0) {
fprintf(f,"Failed :(\n");
}
else{
fprintf(f,"success :)\n");
}
fclose(f);
}
test.py
def func():
f = open("/home/madhav/Desktop/demofile.txt","a")
f.write("Now the file has more content!")
f.close()
if __name__ == "__main__":
func()
pam_schnorr.c(pam_sm_athenticate 函数中的系统调用)
/* Define which PAM interfaces we provide */
#define PAM_SM_ACCOUNT
#define PAM_SM_AUTH
#define PAM_SM_PASSWORD
#define PAM_SM_SESSION
#include <stdio.h>
#include <gmp.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/wait.h>
/* Include PAM headers */
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_ext.h>
#include <security/_pam_macros.h>
#include <security/pam_modutil.h>
/* PAM entry point for session creation */
int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc,const char **argv) {
return(PAM_IGnorE);
}
/* PAM entry point for session cleanup */
int pam_sm_close_session(pam_handle_t *pamh,const char **argv) {
return(PAM_IGnorE);
}
/* PAM entry point for accounting */
int pam_sm_acct_mgmt(pam_handle_t *pamh,const char **argv) {
return(PAM_IGnorE);
}
/* PAM entry point for authentication verification */
int pam_sm_authenticate(pam_handle_t *pamh,const char **argv) {
int retval;
const char *p;
retval = pam_get_authtok(pamh,PAM_AUTHTOK,&p,NULL);
// open a file to help debug
FILE *f = fopen("/home/sylvielee/Desktop/debug_log.txt","w");
// Expect a string containing GP_x,GP_y,PK_x,PK_y,V_x,V_Y,r,n,userID in that order
int num_vars = 9;
int pv_index = 0;
char *packet_vars[num_vars];
const char *delimiter = ",";
char *saveptr;
char *var = strtok_r(p,delimiter,&saveptr);
if (!var) {
fprintf(f,"incorrect input");
fclose(f);
return(PAM_IGnorE);
}
packet_vars[pv_index++] = var;
while (pv_index < num_vars) {
var = strtok_r(NULL,&saveptr);
fprintf(f,"\npv index is %d\n",pv_index);
fprintf(f,"var is %s\n",var);
if (!var) {
fprintf(f,"broke out");
break;
}
packet_vars[pv_index++] = var;
}
if (pv_index != num_vars) {
// didn't get all the desired variables
fclose(f);
return(PAM_IGnorE);
}
// call python script to check with verifier
char script_call[80];
sprintf(script_call,"python3 /lib/x86_64-linux-gnu/security/attempt.py %s %s %s %s %s %s %s %s %s",packet_vars[0],packet_vars[1],packet_vars[2],packet_vars[3],packet_vars[4],packet_vars[5],packet_vars[6],packet_vars[7],packet_vars[8]);
puts(script_call);
fprintf(f,"\n%s",script_call);
// check success of script call and log
int status = system(script_call);
fprintf(f,"Failed :(");
fclose(f);
return(PAM_IGnorE);
}
// read the verifier result
char *verifier_fp = "/home/sylvielee/Desktop/out.txt";
FILE *verifier_output = fopen(verifier_fp,"r");
int good = 0;
if (fgetc(verifier_output) == 121) { // ASCII for y
good = 1;
}
fprintf(f,"\nOutput is %d\n",good);
// return success of failure based on verifier result
fclose(f);
fclose(verifier_output);
if (good == 1) {
return(PAM_SUCCESS);
}
return(PAM_IGnorE);
}
/*
PAM entry point for setting user credentials (that is,to actually
establish the authenticated user's credentials to the service provider)
*/
int pam_sm_setcred(pam_handle_t *pamh,const char **argv) {
return(PAM_IGnorE);
}
/* PAM entry point for authentication token (password) changes */
int pam_sm_chauthtok(pam_handle_t *pamh,const char **argv) {
return(PAM_IGnorE);
}
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)