Hi, I am trying to use your project. But for me it is not working. I did a bit of debugging and found out that pam isn't providing the password to the stdin. The environment variable PAM_USER is set.
#!/bin/sh
ssh-keygen -A
cat > /opt/pam-keycloak-oidc/pam-keycloak-oidc.tml << EOF
# name of the dedicated OIDC client at Keycloak
client-id="demo-pam"
# the secret of the dedicated client
client-secret="57f0e684-a59d-404d-9906-bfe154e8f6ba"
# special callback address for no callback scenario
redirect-url="urn:ietf:wg:oauth:2.0:oob"
# OAuth2 scope to be requested, which contains the role information of a user
scope="pam_roles"
# name of the role to be matched, only Keycloak users who is assigned with this role could be accepted
vpn-user-role="demo-pam-authentication"
# retrieve from the meta-data at https://keycloak.example.com/auth/realms/demo-pam/.well-known/openid-configuration
endpoint-auth-url="http://pc-marcel:8084/auth/realms/master/protocol/openid-connect/auth"
endpoint-token-url="http://pc-marcel:8084/auth/realms/master/protocol/openid-connect/token"
# 1:1 copy, to 'fmt' substituion is required
username-format="%s"
# to be the same as the particular Keycloak client
access-token-signing-method="RS256"
# a key for XOR masking. treat it as a top secret
xor-key="scmi"
EOF
cat > /debug.sh << EOF
#!/bin/bash
echo a
echo \$(tr -d '\0' < /dev/stdin)
echo b \$PAM_USER c
EOF
chmod +x /tnt
cat /etc/pam.d/sshd
cat > /etc/pam.d/sshd << EOF
account required pam_permit.so
auth [success=1 default=ignore] pam_exec.so expose_authtok log=/var/log/pam-keycloak-oidc.log /debug.sh
auth requisite pam_deny.so
auth required pam_permit.so
EOF
#/bin/bash
/usr/sbin/sshd -De
ssh admin@172.17.0.2
[marcel@pc-marcel ssh]$ sudo docker exec -it ssh cat /var/log/pam-keycloak-oidc.log
[sudo] password for marcel:
*** Sun Aug 1 19:47:25 2021
a
INCO
b admin c
*** Sun Aug 1 19:47:32 2021
a
I
b admin c
[marcel@pc-marcel ssh]$
At the position of the I should be the password.
I tested it with the 8. step in your readme and it worked.
Hi, I am trying to use your project. But for me it is not working. I did a bit of debugging and found out that pam isn't providing the password to the stdin. The environment variable
PAM_USER
is set.At the position of the
I
should be the password.I tested it with the 8. step in your readme and it worked.