我有一台CentOS 7机器,我想在sudo期间验证失败时显示一条消息.我尝试通过在/etc/pam.d/sudo中添加pam_echo行来完成此操作.
为了测试,我创建了一个包含字符串’bar’的文件/ etc / security / foo.
这是我的sudo pam堆栈/etc/pam.d/sudo:
auth包括system-auth
auth可选pam_echo.so文件= / etc / security / foo
帐户包括system-auth
密码包括system-auth
session可选pam_keyinit.so撤销
会话需要pam_limits.so
出于某种原因,当我无法进行身份验证时,我没有看到pam_echo的输出.
$sudo ls
史蒂夫的[sudo]密码:
抱歉,请再试一次.
史蒂夫的[sudo]密码:
抱歉,请再试一次.
史蒂夫的[sudo]密码:
sudo:3次密码尝试不正确
我用pamtester测试了sudo pam堆栈,输入错误的密码后得到了预期的结果.
$pamtester sudo steve authenticate
密码:
酒吧
同样,输入正确的密码时我没有输出.
$pamtester sudo steve authenticate
密码:
pamtester:成功通过身份验证
解决方法
我运行sudo并使用GDB进行回溯.我跟着面包屑发现防止PAM输出被硬编码成sudo.
回溯:
#13 0x00007f9879eba7e0 in pam_authenticate (pamh=0x56373c553960,flags=flags@entry=32768) at pam_auth.c:34
#14 0x00007f987a3510de in sudo_pam_verify (pw=,prompt=0x56373c553d00 "[sudo] password for steve: ",auth=,callback=0x7ffea8406880)
at auth/pam.c:182
#15 0x00007f987a35052c in verify_user (pw=0x56373c54ce98,prompt=prompt@entry=0x56373c553d00 "[sudo] password for steve: ",validated=validated@entry=2,callback=callback@entry=0x7ffea8406880) at auth/sudo_auth.c:294
#16 0x00007f987a3520e5 in check_user (auth_pw=0x56373c54ce98,mode=,validated=2) at ./check.c:149
#17 0x00007f987a3520e5 in check_user (validated=validated@entry=2,mode=) at ./check.c:212
#18 0x00007f987a36506d in sudoers_policy_main (argc=argc@entry=1,argv=argv@entry=0x7ffea8406cf0,pwflag=pwflag@entry=0,env_add=env_add@entry=0x56373c5414f0,closure=closure@entry=0x7ffea84069f0) at ./sudoers.c:423
#19 0x00007f987a35eca4 in sudoers_policy_check (argc=1,argv=0x7ffea8406cf0,env_add=0x56373c5414f0,command_infop=0x7ffea8406a80,argv_out=0x7ffea8406a88,user_env_out=0x7ffea8406a90) at ./policy.c:758
#20 0x000056373aee448f in main (plugin=0x56373b102480,user_env_out=0x7ffea8406a90,command_info=0x7ffea8406a80,argc=1) at ./sudo.c:1342
#21 0x000056373aee448f in main (argc=,argv=,envp=) at ./sudo.c:261
在auth / pam.c的第181-182行,我发现使用PAM_SILENT标志调用pam_authenticate以防止任何输出.
/* PAM_SILENT prevents the authentication service from generating output. */
*pam_status = pam_authenticate(pamh,PAM_SILENT);
