Hey Russel,
The project last commit is from 2016 and the last version is already throwing errors for quite some time (https://sourceforge.net/p/pam-python/tickets/1/)
So I wanted to know more about the project future, will it be updated and maintained?
Thanks in advance,
Eduardo
I'm a Debian Developer, so I tend to do things on Debian's cycle. Debian is coming up for a release next year, so things will happen by then.
The major thing is the port to Python 3. The major hold up is python-pam isn't available for Python 3, and python-pam is used for unit tests, and I'm anal about unit tests. So I either have to write it myself or find alternative. I have looked for an alternative, but haven't had much success so far.
Thanks Russel for the update!
On Fedora python3-pam exists, and comes from:
https://github.com/FirefighterBlu3/python-pam
if I can be of any help, just say so...
That software package is for PAM clients only.
While this one here can be used to implment pam modules as well.
Yes, the client code (python-pam) is needed for testing pam-python.
Actually the naming is horrible
I'm working on porting this to py3. The 11 of 12 unit tests pass. "run_xauthdata" is the only test that is failing.
Wow. I'm impressed. What are you using to drive the pam client side from Python?
Bump! I'd like to use this in the context of a python3 world, especially given python2.7's impending EOL. I'm wondering if there is an active ongoing effort to bring this library up to speed for python3 and/or when one could expect that to happen. Thanks!
Continued kenji's work in
https://sourceforge.net/u/anders_blomdell/pam-python/ci/py3/tree/
now the python tests pass, ctest fails to unload the python libraries which might indicate memory leaks somewhere in the code.
ctest fails due to
being loaded by the call
forcibly unloading at end of cleanup_pamHandle by:
works, but is obviously not the correct cause of action...
FWIW, I tried the tree at https://sourceforge.net/u/anders_blomdell/pam-python/ci/f7a9e21bde726b8d68815d1e9572a0636d488a5c/tree/ with Python 3.8.2 and pam 1.3.1 on Linux x86_64 and it seems to work (it passes ctest, anyway). The install target doesn't work because it's missing the same glob in
pam_python3.\*.so
that the previous ln -s command has (it's missing in "cp build/lib.*/pam_python3.so $(DESTDIR)$(LIBDIR)). I couldn't find a PyPAM that works with Python 3 to try test.py but ctest passes, although I needed this patch or else "import test" would fail to find the file.--- test.py
+++ test.py 2020-04-02 08:47:53.739533878 +0000
@@ -34,8 +34,7 @@
return test(pam_sm_chauthtok, pamh, flags, argv)
def test(who, pamh, flags, argv):
- import test
- if not hasattr(test, "test_function"):# only true if not called via "main"
+ if not hasattr(globals(), "test_function"):# only true if not called via "main"
return pamh.PAM_SUCCESS # normally happens only if run by ctest
test_function = globals()[test.test_function.name]
return test_function(test.test_results, who, pamh, flags, argv)
I used the Fedora PyPAM (thanks for sending that pointer OOB) and got some test failures. The first is a problem in the test harness itself:
File "test.py", line 64, in assert_results
assert len(expected_results) == len(results), (i, expected_results[len(results)])
UnboundLocalError: local variable 'i' referenced before assignment
This is because "results" was empty so the for loop never got a chance to set i.
After working around that, I realized my patch in the previous comment was insufficient and changed it to:
In trying to debug the failure (that caused results to be empty), I found that raising an exception in the PAM code (e.g., in test_basic_calls) would case a segfault:
After struggling some more, I discovered that the failure was because I was running the test with "python3 ./test.py"; running it as "python3 test.py" succeeds. Good grief. This patch fixes that:
I also got a deprecation warning on the xauthdata test:
But, at least I got the tests working!
Well, colour me impressed. You've done what I thought was a huge job hard. I'll try to have a closer look this weekend.
It probably was a huge, hard job :-)
I'm just letting everybody know now the tests work, I've started intergrating all the changes for a new release.
Hi all,
I downloaded source from https://sourceforge.net/u/anders_blomdell/pam-python/ci/py3/tree/
and build it using make and make install on CentOS8.1.
I defined a pam_sm_authenticate() function in seperate python file and try to called it inside /etc/pam.d/sshd file :
auth required /lib/security/pam-python3.so /home/test.py use_first_pass
But in /var/log/secure i am getting the following error
Aug 20 15:26:17 localhost /home/test.py[7911]: Can not open module: Permission denied
and my test.py is just a simple file as follows-
def pam_sm_authenticate(pamh, flags, argv):
print("hello")
return pamh.PAM_SUCCESS
def pam_sm_setcred(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_acct_mgmt(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_open_session(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_close_session(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_chauthtok(pamh, flags, argv):
return pamh.PAM_SUCCESS
Please suggest how to resolve this. Any lead will be appreciated.
Last edit: Rahul 2020-08-21
@rstuart any luck on merging python3 functionality?
I am trying to get this to work on Clear Linux which is on python3.8. I know some stuff changed about how to embed python. I couldn't get it to work.
I don't know if this is the right solution, but I found that in setup.py
distutils.sysconfig.get_config_var('INSTSONAME')
returnedlibpython3.8.a
. When trying to dlopen this in pam_python.c I am getting an error that libpython3.8.a: invalid ELF Header.I was wondering if libpython3.8.a is what you are wanting to link to? So I tried compiling it and manually overriding it to 'libpython3.8.so' and now it works, but I am not sure if this is the correct thing to do?
Almost all of it is merged in 1.0.9. The only thing that isn't merged is actually building the .so, I think. That will have to wait until I have tests.
Hi,
is there any documentation how to build pam-python for python3?
I was able to build 1.0.8 on Python 3.8 with "make" after applying the following patch. I haven't actually run this version to see that this patch is correct or that it even works, though, nor tried to get the test suites running:
Thanks a lot for the patch. I had to create a symlink because of the make failing with "/usr/bin/ld: cannot find -lpython3.5"
After creating the following symlink it compiled successful.
ln -sf /usr/lib/x86_64-linux-gnu/libpython3.5m.so /usr/lib/x86_64-linux-gnu/libpython3.5.so
Now my module is called on login. I'll report any issues while migrating my module to python3.
https://sourceforge.net/u/anders_blomdell/pam-python/ci/py3/tree/ worked well for me.
The patch below unifies naming with other pam modules and make it compatible with alpine/musl.
my fork of https://sourceforge.net/u/anders_blomdell/pam-python/ci/py3/tree/
is here https://github.com/castlabs/pam-python
ChangeLog:
1. Added GIL locking to make is compatible with python-pam
2. Fixed crash/abort on invalid initialization of a doc string
3. Optimized module filename getter
4. Use macros macros provided by Python itself for object clearing and traversing
5. Removed parts explicitly related to already dead Python2
6. Added musl compatibility
7. other minor fixes and optimizations
Unresolved issues:
1. Python exception handling on the C side doesn't always work well (seems like it depends on what exactly was raised). So it's better to catch everything on the python side.
Checked with debug version of Python 3.9 and 3.10 and also with python-pam and minimal C application
Thanks a lot for your work @rion. Works perfectly with my python pam module.
My latest additions (python 3.12 initialization stuff) are in the py3 branch of the git repo in https://anders_blomdell@git.code.sf.net/p/pam-python-py3/code