Hallo, I would like to ask more deeply about the most painless pam-module testing possibilities. I suppose the use of 'pamtester' app (thanks for recommendation!) as the highest level front-end. To summarise, the following steps must be carried out: - build PAM library with user specified paths, in order not to affect PAM used by the system (it should not be a problem) - build pamtester linked with the PAM library created (also no problem) - write a script(s) which will call pamtester simulating different conditions of use Now my problem is, how to AUTOMATICALLY simulate authentication fails/successes for different users, e.g. to simulate the n-times successful login of user XY, than some its fails, then attempt of unprivileged users AB, CD, EF, than successes for XY again, .... (all with different delays between individual attempts, etc.). I can simply write a script(s) using pamtester to simulate different models of behaviour - it is perfect. The only problem is that pam_abl does not carry out authentication as such (similarly to e.g. pam_tally.so module). Therefore, in order to be able to write a automatic test suite, I need to have a module which carries out authentication in PAM 'auth' chain, with access permit/deny results following the expected behaviour in the test suite (e.g. on the basis of environment variables or whats-ever?). I looked into 'pamtester', but there is no such module, is it? Could you, please, recommend me a simple way to write such automatised testing suite? Is PAM project thinking about a testing suite which would simplify the development and testing process (ideally even without the need of PAM rebuild :-))? There is also second, maybe simpler, issue: each module needs 'pam_handle_t' structure, provided by PAM library when a module is called. Within PAM module, the handle must used, among others, in functions pam_set|get_data() which I use to store module-dependent data. Now I write unit-tests for some critical procedures, which, however, need to store the data using pam_set|get_data() procedures. What I plan to do is to write simple "fake" implementations of all PAM methods used in the module, and link them to the module instead of real PAM library (for the test suite only, of course). Is the writing of "fakes" OK, or is there a better solution available? Sorry if is seems that I am so fixed on testing. I just want avoid a bug in the authentication-related mechanism ;-) Thank you for your answers, Dan T. On Friday 02 of May 2008 08:43:56 Kenneth Geisshirt wrote: > Quoting rozelak@xxxxxxxx: > > I just would like to ask, if you can give me some hints how to test > > > > a > > > > correct function of a PAM module. There is a possibility to put > > > > the > > > > > > > > module to /etc/pam.d/ and create an application for test, but > > > > I would > > > > > > > > rather preferer to use something more safe. So, is it possible > > > > to > > > > > > test > > > > a PAM module without affecting the system configuration? Could > > > > you > > > > > > > > describe, please, what to do? Is there something already existing > > > > > > (there > > > > many PAM modules available, so I suppose they were tested somehow > > > > > > ;-)) > > > > I use pamtester <http://pamtester.sourceforge.net/>. You can drive > it > > using expect <http://expect.nist.gov/>. In my PAM book > <http://www.packtpub.com/pluggable-authentication-modules/book> there > > > is chapter of how to test PAM configurations including on how to > > use > > > > pamtester. > > /kneth _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
