#5 Is the project dead?

[Eduardo Barretto]

Hey Russel,

The project last commit is from 2016 and the last version is already throwing errors for quite some time (https://sourceforge.net/p/pam-python/tickets/1/)

So I wanted to know more about the project future, will it be updated and maintained?

Thanks in advance,
Eduardo

[Russell Stuart]

I'm a Debian Developer, so I tend to do things on Debian's cycle. Debian is coming up for a release next year, so things will happen by then.

The major thing is the port to Python 3. The major hold up is python-pam isn't available for Python 3, and python-pam is used for unit tests, and I'm anal about unit tests. So I either have to write it myself or find alternative. I have looked for an alternative, but haven't had much success so far.

[Eduardo Barretto]

Thanks Russel for the update!

[Anders Blomdell]

On Fedora python3-pam exists, and comes from:

https://github.com/FirefighterBlu3/python-pam

if I can be of any help, just say so...

[Stefan Wolfsheimer]

That software package is for PAM clients only.
While this one here can be used to implment pam modules as well.

[Anders Blomdell]

Yes, the client code (python-pam) is needed for testing pam-python.

Actually the naming is horrible

[Kenji Noguchi]

I'm working on porting this to py3. The 11 of 12 unit tests pass. "run_xauthdata" is the only test that is failing.

[Russell Stuart]

Wow. I'm impressed. What are you using to drive the pam client side from Python?

[danielpops]

Bump! I'd like to use this in the context of a python3 world, especially given python2.7's impending EOL. I'm wondering if there is an active ongoing effort to bring this library up to speed for python3 and/or when one could expect that to happen. Thanks!

[Anders Blomdell]

Continued kenji's work in

https://sourceforge.net/u/anders_blomdell/pam-python/ci/py3/tree/

now the python tests pass, ctest fails to unload the python libraries which might indicate memory leaks somewhere in the code.

[Anders Blomdell]

ctest fails due to

  /usr/lib64/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so

being loaded by the call

    tracebackModule = PyImport_ImportModule("traceback");

forcibly unloading at end of cleanup_pamHandle by:

static int dl_walk_heapq(struct dl_phdr_info* info, size_t size, void* data)
{
  if (strstr(info->dlpi_name, "/_heapq.cpython") != 0) {
    void *handle = dlopen(info->dlpi_name, RTLD_NOW|RTLD_NOLOAD);
    if (handle) {
      while(dlclose(handle) == 0) { }
    }
  }
  return 0;
}
...  
  dl_iterate_phdr(dl_walk_heapq, NULL);
  dlclose(dlhandle);
}

works, but is obviously not the correct cause of action...

[Dan Fandrich]

FWIW, I tried the tree at https://sourceforge.net/u/anders_blomdell/pam-python/ci/f7a9e21bde726b8d68815d1e9572a0636d488a5c/tree/ with Python 3.8.2 and pam 1.3.1 on Linux x86_64 and it seems to work (it passes ctest, anyway). The install target doesn't work because it's missing the same glob in pam_python3.\*.so that the previous ln -s command has (it's missing in "cp build/lib.*/pam_python3.so $(DESTDIR)$(LIBDIR)). I couldn't find a PyPAM that works with Python 3 to try test.py but ctest passes, although I needed this patch or else "import test" would fail to find the file.

--- test.py
+++ test.py 2020-04-02 08:47:53.739533878 +0000
@@ -34,8 +34,7 @@
return test(pam_sm_chauthtok, pamh, flags, argv)

def test(who, pamh, flags, argv):
- import test
- if not hasattr(test, "test_function"):# only true if not called via "main"
+ if not hasattr(globals(), "test_function"):# only true if not called via "main"
return pamh.PAM_SUCCESS # normally happens only if run by ctest
test_function = globals()[test.test_function.name]
return test_function(test.test_results, who, pamh, flags, argv)

[Dan Fandrich]

I used the Fedora PyPAM (thanks for sending that pointer OOB) and got some test failures. The first is a problem in the test harness itself:

File "test.py", line 64, in assert_results
assert len(expected_results) == len(results), (i, expected_results[len(results)])
UnboundLocalError: local variable 'i' referenced before assignment

This is because "results" was empty so the for loop never got a chance to set i.

After working around that, I realized my patch in the previous comment was insufficient and changed it to:

--- test.py
+++ test.py     2020-04-02 10:15:05.069983210 +0000
@@ -34,9 +34,9 @@
   return test(pam_sm_chauthtok, pamh, flags, argv)

 def test(who, pamh, flags, argv):
-  import test
-  if not hasattr(test, "test_function"):# only true if not called via "main"
+  if 'test' not in sys.modules:# only true if not called via "main"
     return pamh.PAM_SUCCESS            # normally happens only if run by ctest
+  import test
   test_function = globals()[test.test_function.__name__]
   return test_function(test.test_results, who, pamh, flags, argv)

In trying to debug the failure (that caused results to be empty), I found that raising an exception in the PAM code (e.g., in test_basic_calls) would case a segfault:

Testing basic_calls Traceback (most recent call last):
  File "./test.py", line 640, in <module>
    main(sys.argv)
  File "./test.py", line 620, in main
    run_test(run_basic_calls)
  File "./test.py", line 51, in run_test
    caller(test.test_results)
  File "./test.py", line 79, in run_basic_calls
    pam.authenticate(0)
PAM.error: ('Error in service module', 3)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff70b95e0 in ?? ()
(gdb) bt
#0  0x00007ffff70b95e0 in ?? ()
#1  0x00007ffff7b5ceac in collect.constprop () from /lib64/libpython3.8.so.1.0
#2  0x00007ffff7c93b02 in _PyGC_CollectNoFail () from /lib64/libpython3.8.so.1.0
#3  0x00007ffff7c9a74a in PyImport_Cleanup () from /lib64/libpython3.8.so.1.0
#4  0x00007ffff7ca1e36 in Py_FinalizeEx () from /lib64/libpython3.8.so.1.0
#5  0x00007ffff7ca312d in Py_RunMain () from /lib64/libpython3.8.so.1.0
#6  0x00007ffff7ca3539 in Py_BytesMain () from /lib64/libpython3.8.so.1.0
#7  0x00007ffff7e13d8b in __libc_start_main () from /lib64/libc.so.6
#8  0x000000000040107a in _start ()

After struggling some more, I discovered that the failure was because I was running the test with "python3 ./test.py"; running it as "python3 test.py" succeeds. Good grief. This patch fixes that:

--- test.py
+++ test.py     2020-04-02 10:15:05.069983210 +0000
@@ -80,7 +82,7 @@
   pam.open_session()
   pam.close_session()
   del pam
-  me = os.path.join(os.getcwd(), __file__)
+  me = os.path.normpath(os.path.join(os.getcwd(), __file__))
   expected_results = [
       (pam_sm_authenticate.__name__, 0, [me]),
       (pam_sm_acct_mgmt.__name__, 0, [me, 'arg1', 'arg2']),

I also got a deprecation warning on the xauthdata test:

Testing xauthdata /home/dan/rpm/BUILD/pam-python-1.0.7/src/test.py:393: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
  xauthdata1 = pamh.xauthdata
/home/dan/rpm/BUILD/pam-python-1.0.7/src/test.py:409: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
  xauthdata2 = pamh.xauthdata
/home/dan/rpm/BUILD/pam-python-1.0.7/src/test.py:415: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
  xauthdata4 = pamh.xauthdata
OK

But, at least I got the tests working!

[Russell Stuart]

Well, colour me impressed. You've done what I thought was a huge job hard. I'll try to have a closer look this weekend.

[Dan Fandrich]

It probably was a huge, hard job :-)

[Russell Stuart]

I'm just letting everybody know now the tests work, I've started intergrating all the changes for a new release.

[Rahul]

Hi all,

I downloaded source from https://sourceforge.net/u/anders_blomdell/pam-python/ci/py3/tree/
and build it using make and make install on CentOS8.1.

I defined a pam_sm_authenticate() function in seperate python file and try to called it inside /etc/pam.d/sshd file :
auth required /lib/security/pam-python3.so /home/test.py use_first_pass

But in /var/log/secure i am getting the following error
Aug 20 15:26:17 localhost /home/test.py[7911]: Can not open module: Permission denied

and my test.py is just a simple file as follows-

def pam_sm_authenticate(pamh, flags, argv):
print("hello")
return pamh.PAM_SUCCESS

def pam_sm_setcred(pamh, flags, argv):
return pamh.PAM_SUCCESS

def pam_sm_acct_mgmt(pamh, flags, argv):
return pamh.PAM_SUCCESS

def pam_sm_open_session(pamh, flags, argv):
return pamh.PAM_SUCCESS

def pam_sm_close_session(pamh, flags, argv):
return pamh.PAM_SUCCESS

def pam_sm_chauthtok(pamh, flags, argv):
return pamh.PAM_SUCCESS

Please suggest how to resolve this. Any lead will be appreciated.

[Raymond Bennett]

@rstuart any luck on merging python3 functionality?

I am trying to get this to work on Clear Linux which is on python3.8. I know some stuff changed about how to embed python. I couldn't get it to work.

I don't know if this is the right solution, but I found that in setup.py distutils.sysconfig.get_config_var('INSTSONAME') returned libpython3.8.a. When trying to dlopen this in pam_python.c I am getting an error that libpython3.8.a: invalid ELF Header.

I was wondering if libpython3.8.a is what you are wanting to link to? So I tried compiling it and manually overriding it to 'libpython3.8.so' and now it works, but I am not sure if this is the correct thing to do?

[Russell Stuart]

@rstuart any luck on merging python3 functionality?

Almost all of it is merged in 1.0.9. The only thing that isn't merged is actually building the .so, I think. That will have to wait until I have tests.

[the2nd]

Hi,

is there any documentation how to build pam-python for python3?

[Dan Fandrich]

I was able to build 1.0.8 on Python 3.8 with "make" after applying the following patch. I haven't actually run this version to see that this patch is correct or that it even works, though, nor tried to get the test suites running:

diff -ru /tmp/pam-python-1.0.8/src/pam_python.c /home/dan/chroot-cauldron/tmp/pam-python-1.0.8/src/pam_python.c
--- /tmp/pam-python-1.0.8/src/pam_python.c  2020-11-10 01:58:10.000000000 -0800
+++ /home/dan/chroot-cauldron/tmp/pam-python-1.0.8/src/pam_python.c 2021-01-18 09:19:27.082023704 -0800
@@ -104,7 +104,7 @@
 #define    Py23_String_FromStringAndSize PyUnicode_FromStringAndSize
 #define    Py23_String_GET_SIZE    PyUnicode_GET_SIZE
 #define    Py23_String_Parse_Char  "U"
-#define    Py23_String_Size    PyUnicode_Size
+#define    Py23_String_Size    PyBytes_Size
 #define    Py23_String_Type    PyUnicode_Type
 #define    Py23_TYPE(p)        Py_TYPE(p)
 #endif
@@ -434,7 +434,7 @@
    * Just print the exception in some recognisable form, hopefully.
    */
   syslog_open(module_path);
-  if (PyClass_Check(ptype))
+  if (PyType_Check(ptype))
     stype = PyObject_GetAttrString(ptype, "__name__");
   else
   {
@@ -876,7 +876,7 @@
     value = 0;
   else
   {
-    value = Py23_String_AsString(pyValue);
+    value = (char*) Py23_String_AsString(pyValue);
     if (value == 0)
     {
       snprintf(
Only in /home/dan/chroot-cauldron/tmp/pam-python-1.0.8/src: pam_python.so
diff -ru /tmp/pam-python-1.0.8/src/setup.py /home/dan/chroot-cauldron/tmp/pam-python-1.0.8/src/setup.py
--- /tmp/pam-python-1.0.8/src/setup.py  2020-11-10 01:58:10.000000000 -0800
+++ /home/dan/chroot-cauldron/tmp/pam-python-1.0.8/src/setup.py 2021-01-18 09:08:21.485867575 -0800
@@ -1,4 +1,4 @@
-#!/usr/bin/python2 -W default
+#!/usr/bin/python3 -W default
 import warnings; warnings.simplefilter('default')

 import distutils.sysconfig
Only in /home/dan/chroot-cauldron/tmp/pam-python-1.0.8/src: test-pam_python.pam
diff -ru /tmp/pam-python-1.0.8/src/test.py /home/dan/chroot-cauldron/tmp/pam-python-1.0.8/src/test.py
--- /tmp/pam-python-1.0.8/src/test.py   2020-11-10 01:58:10.000000000 -0800
+++ /home/dan/chroot-cauldron/tmp/pam-python-1.0.8/src/test.py  2021-01-18 09:08:17.370729760 -0800
@@ -1,4 +1,4 @@
-#!/usr/bin/python2 -W default
+#!/usr/bin/python3 -W default
 #
 # This is the test script for libpython-pam.  There aren't many stones
 # left unturned.

[the2nd]

Thanks a lot for the patch. I had to create a symlink because of the make failing with "/usr/bin/ld: cannot find -lpython3.5"

After creating the following symlink it compiled successful.
ln -sf /usr/lib/x86_64-linux-gnu/libpython3.5m.so /usr/lib/x86_64-linux-gnu/libpython3.5.so

Now my module is called on login. I'll report any issues while migrating my module to python3.

[Rion]

https://sourceforge.net/u/anders_blomdell/pam-python/ci/py3/tree/ worked well for me.

The patch below unifies naming with other pam modules and make it compatible with alpine/musl.

diff -r 58a247137c70 src/Makefile
--- a/src/Makefile      Wed Apr 07 09:36:11 2021 +0200
+++ b/src/Makefile      Sat Mar 05 15:43:35 2022 +0300
@@ -17,7 +17,7 @@
 install: install-lib
 install-lib:
        mkdir -p $(DESTDIR)$(LIBDIR)
-       cp build/lib.*/pam_python3.*.so $(DESTDIR)$(LIBDIR)/pam-python3.so
+       cp build/lib.*/pam_python3.*.so $(DESTDIR)$(LIBDIR)/pam_python3.so

 .PHONY: clean
 clean:
diff -r 58a247137c70 src/pam_python.c
--- a/src/pam_python.c  Wed Apr 07 09:36:11 2021 +0200
+++ b/src/pam_python.c  Sat Mar 05 15:43:35 2022 +0300
@@ -48,6 +48,11 @@
 #include <structmember.h>
 #include <syslog.h>

+#ifndef __STRING
+#define __STRING(s) str_helper(s)
+#define str_helper(s) #s
+#endif
+
 #ifndef        MODULE_NAME
 #define        MODULE_NAME             "libpam_python"
 #endif

[Rion]

my fork of https://sourceforge.net/u/anders_blomdell/pam-python/ci/py3/tree/
is here https://github.com/castlabs/pam-python

ChangeLog:
1. Added GIL locking to make is compatible with python-pam
2. Fixed crash/abort on invalid initialization of a doc string
3. Optimized module filename getter
4. Use macros macros provided by Python itself for object clearing and traversing
5. Removed parts explicitly related to already dead Python2
6. Added musl compatibility
7. other minor fixes and optimizations

Unresolved issues:
1. Python exception handling on the C side doesn't always work well (seems like it depends on what exactly was raised). So it's better to catch everything on the python side.

Checked with debug version of Python 3.9 and 3.10 and also with python-pam and minimal C application

[the2nd]

Thanks a lot for your work @rion. Works perfectly with my python pam module.

[Anders Blomdell]

My latest additions (python 3.12 initialization stuff) are in the py3 branch of the git repo in https://anders_blomdell@git.code.sf.net/p/pam-python-py3/code