pamtester - test pluggable authentication modules (PAM) facility

What is pamtester?

pamtester is a tiny utility program to test the pluggable authentication modules (PAM) facility, which is a de facto standard of unified authentication management mechanism in many unices and similar OSes including Solaris, HP-UX, *BSD, MacOSX and Linux.

While specifically designed to help PAM module authors to test their modules, that might also be handy for system administrators interested in building a centralised authentication system using common standards such as NIS, SASL and LDAP.

Releases

The latest release of pamtester is 0.1.2. You can fetch it from here.

Installation

Just run configure and do the ordinary "make install". Differences between platforms will automatically be handled by the configure script. Let me know if it's not :)

Using pamtester

Synopsis:

pamtester [-v]
          [-I item=value]
          [-E var=value]
          service operation [operation ...]

pamtester requires at least three arguments to operate. The first argument is service, which provides the name of the service. The second one is user, which provides the name of the user to handle with PAM. The last one is operation, which specifies the operation for PAM to perform. For example, the following set of arguments

pamtester login root open_session

instructs the session modules registered to the "login" service to open the session for user "root".

Supported operations are listed below:

authenticate

Authenticate user. A conversation may subsequently take place to prompt user input for necessary authentication information.
acct_mgmt

Perform account management on user.
open_session

Open a new session for user.
close_session

Close the current session for user.
chauthtok

Change the authentication token currently assigned to user. A conversation may subsequently take place to prompt user input for necessary authentication information.

Note that it is probable some operations eventually need additional privileges to fulfill the request, depending on the service configuration.

More than one operation may be specified at once. In that case the operations are done in the order of occurrence.

Any operation may also be followed by the option flags that are provided between the pair of parenthesis like this:

$ pamtester login root "authenticate(PAM_SILENT)"

Flags are all named and combinable or inversible with bitwise operators;

| (OR),
& (AND),
^ (XOR) and
~ (NOT)

are accepted.

The list of allowed options is shown below:

PAM_SILENT
PAM_DISALLOW_NULL_AUTHTOK
PAM_ESTABLISH_CRED
PAM_REINITIALIZE_CRED
PAM_REFRESH_CRED
PAM_CHANGE_EXPIRED_AUTHTOK

Additional authentication information such as the name of the remote user, the remote host and the tty can be supplied via -I (--item) option. In the following example, the tty name is given using "tty" command.

$ pamtester -I tty=`tty` login root open_session

The following types of information are supported:

service
user
prompt
tty
ruser
rhost

If run with -v (--verbose) option, pamtester generates quite detailed output that describes what is going on behind the scene. Those arguments,

pamtester -v login root open_session close_session

will end up with something like below:

pamtester: invoking pam_start(login, root, ...)
pamtester: performing operation - open_session
Linux localhost 0.0.0 #1 Wed Dec 1 00:00:00 GMT 1971 i4004 GNU/Linux
pamtester: sucessfully opened a session
pamtester: performing operation - close_session
pamtester: session has successfully been closed.

Reporting bugs

Please submit any problem reports or feature requests to the sourceforge's bug tracking system.