Writing Pluggable Authentication Module (PAM) for OSX

Question

I'm trying to get a basic PAM to work with screen saver authentication on OSX. The code is very simple, just return true for everything (similar to pam_permit). I would expect that when the user wants to return to their account from the screensaver, pam_sm_authenticate would return true regardless of what password they enter. However, this is not working as such, and correct user password is still required to return from the screensaver. What am I doing wrong. Specifically:

All libs in /usr/lib/pam are .so, but the lib I'm building with Xcode is either .bundle or .dylib. Do I need to take any additional steps to get PAM to load these? (OSX noobie here).

Code:

#define PAM_SM_ACCOUNT
#define PAM_SM_AUTH
#define PAM_SM_PASSWORD
#define PAM_SM_SESSION

#include <security/pam_appl.h>
#include <security/pam_modules.h>

PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
return(PAM_SUCCESS);
}

PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)           {
    return(PAM_SUCCESS);
}

PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) {
    return(PAM_SUCCESS);
}

PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
    return(PAM_SUCCESS);
}

PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
    return(PAM_SUCCESS);
}

PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) {
    return(PAM_SUCCESS);
}

I have tried building the above into a shared library in Xcode, the output being OSXLoginBundle.bundle (or .dylib), and have copied this bundle/dylib into /usr/lib/pam. I have changed the screensaver config file in /etc/pam.d to be

# screensaver: auth account
auth       sufficient     OSXLoginBundle.bundle
account    required       pam_opendirectory.so
account    sufficient     pam_self.so
account    required       pam_group.so no_warn group=admin,wheel fail_safe
account    required       pam_group.so no_warn deny group=admin,wheel ruser fail_safe

Answer 1

I assume that your code is being processed and you've checked that and I think you misunderstand how pam works.

In reference to the pam.conf file (yes I know there isn't one here, but I believe this still applies with pam.d files)

while the order in which lines for the same service and facility appear is significant, the order in which the individual services and facilities are listed is not

If you read about pam-policies, it states that there are 4 module chains, one for each facility (auth, account, session, password).

The pam-policies doc states:-

When an application calls pam_start(3), the PAM library loads the policy for the specified service and constructs four module chains (one for each facility.)

As an application calling pam has access to 6 authentication functions (primitives), which are grouped according to the 4 facilities, when the application (screensaver in this case) calls a primitive that is not under the 'auth' facility, it will not match your pam module, but rather a module from the relevant chain.

So, when the calling application calls pam_acct_mgmt, it will refer to the screensaver file in /etc/pam.d and match on the associated facility which, in this case is 'account' and some of these modules are labelled as 'required'.

If you were to change their policies to 'optional', according to "Chains and Policies" documentation, the result of those modules would be ignored.