

UbuntuでCプログラミングを使用してLinux PAM認証モジュールを作成しました。私の考えは、ログイン時に入力したユーザー名とパスワードをWebサーバーに保存されているユーザー名とパスワードと比較して、同じ場合はシステムに入ることができないか、システムに入ることができないことです。


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h> /* read, write, close */
#include <string.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_ext.h>

#include <sys/socket.h> /* socket, connect */
#include <netinet/in.h> /* struct sockaddr_in, struct sockaddr */
#include <netdb.h> /* struct hostent, gethostbyname */
#include <arpa/inet.h>
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>

void error(const char *msg) { perror(msg); exit(0); }

int sendreq(pam_handle_t *pamh, int argc, const char *uname, const char *pwd)
    int i;
    pam_syslog(pamh, 5, "********into  sendreq******");

    /* first where are we going to send it? */
    int portno = 1234;
    char *host = "";
    char *method = "GET";
    char *path = "/authModule/authenticate";
    char *header = "";
    char body[1024];
    char* test_ok = "aaaaaaa";
    SSL *ssl = NULL;
    int OK_status = 0;
    X509 *server_cert;
    char* str = NULL;
    int err;
    char querystring[1024];
    //int argc = 6;
    int ret = 0;

    struct hostent *server;
    struct sockaddr_in serv_addr;
    struct in_addr ip;
    SSL_CTX *ctx = NULL;
    int sockfd, bytes, sent, received, total, message_size;
    const SSL_METHOD *client_method;
    char *message, response[4096];

    if (argc < 5) { puts("Parameters: <host> <port> <method> <path> [<data> [<headers>]]"); exit(0); }
    printf("querystring is %s-%d", querystring, strlen(querystring));


    client_method = SSLv23_client_method( );
    ctx = SSL_CTX_new(client_method);
    if (!ctx) {
        fprintf (stderr, "SSL_CTX_new failed:\n");
        ERR_print_errors_fp (stderr);
        return 0;
    server = gethostbyname(host);
    if (server == NULL) error("ERROR, no such host");

    bcopy(server->h_addr, &(ip.s_addr), server->h_length);

    sockfd = socket(AF_INET, SOCK_STREAM, 0);
    memset(&serv_addr, '\0', sizeof(serv_addr));
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_port = htons(portno); 
            server->h_addr, server->h_length);
    err = connect(sockfd, (struct sockaddr*) &serv_addr,
    if (err < 0) { perror("can't connect to server port"); exit(1); }
    ssl = SSL_new(ctx); 
    if (!ssl) {
        fprintf (stderr, "SSL_new failed:\n");
        ERR_print_errors_fp (stderr);
        return 0;

    SSL_set_fd(ssl, sockfd); 
    err = SSL_connect(ssl); 

    server_cert = SSL_get_peer_certificate(ssl);
    printf("(6) server's certificate was received:\n\n");
    str = X509_NAME_oneline(X509_get_subject_name(server_cert), 0, 0);
    printf(" subject: %s\n", str);
    str = X509_NAME_oneline(X509_get_issuer_name(server_cert), 0, 0);
    printf(" issuer: %s\n\n", str);


    /* How big is the message? */
        message_size+=strlen("%s %s%s%s HTTP/1.0\r\n");        /* method         */
        message_size+=strlen(path);                            /* path           */
        message_size+=strlen(header);                          /* headers        */
            message_size+=strlen(querystring);                 /* query string   */
        for(i=6;i<argc;i++)                                    /* headers        */
        message_size+=strlen("\r\n");                          /* blank line     */
        message_size+=strlen("%s %s HTTP/1.0\r\n");
        message_size+=strlen(method);                         /* method         */
        message_size+=strlen(path);                         /* path           */
        for(i=6;i<argc;i++)                                    /* headers        */
            message_size+=strlen("Content-Length: %d\r\n")+10; /* content length */
        message_size+=strlen("\r\n");                          /* blank line     */
            message_size+=strlen(body);                     /* body           */

    /* allocate space for the message */

    /* fill in the parameters */
            sprintf(message,"%s %s%s%s HTTP/1.0\r\n",
                strlen(method)>0?method:"GET",               /* method         */
                strlen(path)>0?path:"/",                 /* path           */
                strlen(querystring)>0?"?":"",                      /* ?              */
                strlen(querystring)>0?querystring:"");                 /* query string   */
            sprintf(message,"%s %s HTTP/1.0\r\n",
                strlen(method)>0?method:"GET",               /* method         */
                strlen(path)>0?path:"/");                /* path           */
        //for(i=6;i<argc;i++)                                    /* headers        */
        strcat(message,"\r\n");                                /* blank line     */

        pam_syslog(pamh, 5, message);
        sprintf(message,"%s %s HTTP/1.0\r\n",
            strlen(method)>0?method:"POST",                  /* method         */
            strlen(path)>0?path:"/");                    /* path           */
        //for(i=6;i<argc;i++)                                    /* headers        */
        //    {strcat(message,argv[i]);strcat(message,"\r\n");}
        //    sprintf(message+strlen(message),"Content-Length: %d\r\n",strlen(argv[5]));
        strcat(message,"\r\n");                                /* blank line     */
        //    strcat(message,argv[5]);                           /* body           */

    /* What are we going to send? */

    /* create the socket */
    sockfd = socket(AF_INET, SOCK_STREAM, 0);
    if (sockfd < 0) error("ERROR opening socket");

    /* lookup the ip address */
    server = gethostbyname(host);
    if (server == NULL) error("ERROR, no such host");

    /* fill in the structure */
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_port = htons(portno);

    /* connect the socket */
    if (connect(sockfd,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0)
        error("ERROR connecting");
    /* send the request */
    total = strlen(message);
    sent = 0;
    do {
        bytes = SSL_write(ssl,message+sent,total-sent); 
        if (bytes < 0)
            error("ERROR writing message to socket");
        if (bytes == 0)
    } while (sent < total);

    shutdown (sockfd, 1); /* send EOF to server */

    pam_syslog(pamh, 5, response);
    total = sizeof(response)-1;
    received = 0;
    do {
        bytes = SSL_read(ssl,response+received,total-received);
        if (bytes < 0)
            error("ERROR reading response from socket");
        if (bytes == 0)
    } while (bytes > 0);


PAM_EXTERN int pam_sm_setcred( pam_handle_t *pamh, int flags, int argc, const char **argv ) {
        return PAM_SUCCESS;

PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) {
        printf("Acct mgmt\n");
        return PAM_SUCCESS;

PAM_EXTERN int pam_sm_authenticate( pam_handle_t *pamh, int flags,int argc, const char **argv ) {
        int retval;

        const char* pUsername;
        const char* pPassword;
        char cmd[255];
        memset(cmd, 0, 255);

        retval = pam_get_user(pamh, &pUsername, "Username: ");

        printf("Welcome %s\n", pUsername);

        if (retval != PAM_SUCCESS) {
                return retval;

        retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pPassword , NULL);

        pam_syslog(pamh, 5, " login");
        pam_syslog(pamh, 5, pUsername);
        pam_syslog(pamh, 5, pPassword);

        if (!sendreq(pamh, 6, pUsername, pPassword)) {
                return PAM_AUTH_ERR;

        pam_syslog(pamh, 5, "add user...");
        sprintf(cmd,"useradd -m %s",pUsername);

        return PAM_SUCCESS;

int main(int argc, char *argv[])
    char *uname="aaaaa";
    char *pwd="123";
    sendreq(NULL, 6, uname, pwd);


aaa@ubuntu:/etc/pam.d$  cat gdm-password 
auth sufficient
account sufficient

auth    requisite
auth    required user != root quiet_success
@include common-auth
auth    optional
@include common-account
# SELinux needs to be the first session rule. This ensures that any 
# lingering context has been cleared. Without this it is possible 
# that a module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] close
session required
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
# changes the SELinux context of the used TTY and configures
# SELinux in order to transition to the user context with the next execve()
# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad] open
session optional force revoke
session required
session required readenv=1
session required readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-session
session optional auto_start
@include common-password


aaa@ubuntu:~$  uname -a
Linux ubuntu 5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux


aaa@ubuntu:~$  openssl version -a
OpenSSL 1.1.1k  25 Mar 2021
built on: Fri Jul  2 10:45:57 2021 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib/engines-1.1"
Seeding source: os-specific



gcc -fPIC -fno-stack-protector -c src/sensepam.c -lssl -lcrypto

sudo ld -x --shared -o /usr/lib/x86_64-linux-gnu/security/  sensepam.o

rm sensepam.o


Jul  5 15:50:54 ubuntu systemd-logind[644]: System is rebooting.
Jul  5 16:09:04 ubuntu systemd-logind[649]: New seat seat0.
Jul  5 16:42:09 ubuntu gdm-password]: PAM unable to dlopen( /lib/security/ undefined symbol: OPENSSL_init_crypto
Jul  5 16:42:09 ubuntu gdm-password]: PAM adding faulty module:
Jul  5 16:42:09 ubuntu gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory
Jul  5 16:42:14 ubuntu gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory
Jul  5 16:42:14 ubuntu gdm-password]: gkr-pam: unlocked login keyring
Jul  5 17:01:25 ubuntu gdm-password]: PAM unable to dlopen( /lib/security/ undefined symbol: OPENSSL_init_crypto
Jul  5 17:01:25 ubuntu gdm-password]: PAM adding faulty module:
Jul  5 17:01:25 ubuntu gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory
Jul  5 17:02:23 ubuntu gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory
Jul  5 17:02:23 ubuntu gdm-password]: gkr-pam: unlocked login keyring
PAM unable to dlopen( /lib/security/ undefined symbol: OPENSSL_init_crypto




ld -x --shared -o sensepam.o -lcrypto -lssl


ldd -r /lib/security/


OpenSSL libフォルダから欠落しているlibファイルをシステムライブラリにコピーします。デフォルトのシステムライブラリパスはです/usr/lib/x86_64-linux-gnu/
