[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

RE: Differentiating between login and logout under pam_exec and session

From: Colin van Niekerk <Colin vanNiekerk mimecast co za>
To: Pluggable Authentication Modules <pam-list redhat com>
Subject: RE: Differentiating between login and logout under pam_exec and session
Date: Thu, 14 May 2009 23:49:01 +0200

Hi there Drew,

Not sure about pam_exec but...

I have just written a PAM module that does exactly this... well, all but the source of the connection, I'll figure that out soon enough I'm sure.

I have called it pam_alert. - PLEASE COULD ANYONE LET ME KNOW IF THERE IS ALREADY A MODULE WITH THIS NAME.

Line in /etc/pam.d/sshd -> session  optional  pam_alert.so <I/O/B> address domain com address2 other com
I - Logins
O - Logouts
B - Both

Can be upper or lowercase.

Prerequisite: You must have /bin/mail from mailx, pam_alert uses it to send the email

Let me know if you are interested in running it. I have not tested on very many systems so it's without ANY warranty etc... etc... but you'll have the code so you can see what it's doing. Would be good to get it onto different systems.

It'll be on sourceforge.net under the SimPL2 license as soon as the project is approved.

Regards,
Colin

-----Original Message-----
From: pam-list-bounces redhat com [mailto:pam-list-bounces redhat com] On Behalf Of Drew Leske
Sent: 14 May 2009 09:12 PM
To: pam-list redhat com
Subject: Differentiating between login and logout under pam_exec and session

Hi all,

I would like to have some machines page me on logins.  It seems to me (with limited PAM understanding and experience) that the most appropriate place for this is using the following line in system-auth:

session required pam_exec.so (script-name)

The script sends an e-mail using environment variables set by pam_exec to let me know that a given user has logged in to which box from where, for what service.  The only problem is it sends this on both logins and logouts and I can't see how to differentiate.  I would like it to either not let me know about logouts, or preferably, for the script to simply tell me "Bob logged in to service sshd from wherever.example.com" or "Bob logged out from ..."  I have had my script log all environment variables passed to it and they seem to be identical in both login/logout scenarios.

Any ideas?  Is this an appopriate use of session, pam, ...?  I know I could add stuff to login scripts or make a monitor for syslog, but this seems to me to be the best place to put this sort of thing.

Thanks everybody
Drew.




Drew Leske, Unix Services Team, CASS, University of Victoria.
   mel: dleske uvic ca
   tel: 250-472-5055
   cel: 250-588-4311

_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list

References:
- Differentiating between login and logout under pam_exec and session
  - From: Drew Leske

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]