CamW CamW - 2 months ago 5
C Question

Can't call custom PAM module from dotnet core - possibly related to multiarch

I've built a simple, custom, PAM module and the module works as expected with pamtester and with some other pam testing code I found online.

I've also built a simple dotnet core application which uses pinvoke to authenticate against pam.

As mentioned, the custom module works with pamtester and the custom dotnet app works (up to the point of receiving the conv callback) against the default ubuntu 15.10 pam setup.

However, if I hook the custom app up to the custom PAM module, I get an error in auth.log to say

dotnet: PAM unable to dlopen(
/lib/security/ cannot open shared object file: No
such file or directory

... so it doesn't find the module in the /lib/x86_64-linux-gnu/security when calling into pam from dotnet to the custom module

If I change the pam config file to include the full path to the module then I get the error

dotnet: PAM unable to dlopen(/lib/x86_64-linux-
gnu/security/ /lib/x86_64-linux-
gnu/security/ undefined symbol: pam_syslog

So it seems like it's still failing to resolve things, this time it's the references in the custom pam module.

Could anyone point me in the right direction in terms of:

  • Why PAM fails to find my custom module but can find the default ubuntu modules?

  • Why that only happens when calling into pam from dotnet

  • How I can build and/or configure my custom pam module to behave the same as the pre-existing system modules?


I still don't know why it's an issue calling into my custom module from dotnet and not from pamtester but, to answer the most important question: "How I can build and/or configure my custom pam module to behave the same as the pre-existing system modules?"

The answer is that previously, I was linking the module using the following:

ld -x --shared -o pam_permit_log_response.o

To fix the problem, I needed to indicate to the linker that this is a pam module using the -lpam flag so the call to link becomes:

ld -x --shared -o pam_permit_log_response.o -lpam