►
From YouTube: RustConf 2022 - THE SHEER TERROR OF PAM by Xe Iaso
Description
UNIX authentication sucks. The state of the art is PAM, which is cursed C beyond imagination. However it's $CURRENT_YEAR and we have Rust now, so we can use Rust to extend that stack without having to worry about most of the problems that C gives you. This talk will cover a brief overview of the PAM API, the surreal horrors of how PAM actually works, how to meet that API in Rust so you can write your own authentication logic, and finally examples of cool things you can do with this. Along the way we will also discuss how to research things that the forces of justice have wanted you to forget.
A
By
the
end
of
this
talk,
you
should
have
a
clear
understanding
of
what
pam
is
why
it
exists,
why
it
sucks
and
the
horrors
I
encountered
while
writing
a
pam
module
in
rust
for
work,
like
I
said,
I'm
z,
iso,
I'm
a
blogger
student
of
philosophy
and
an
aspiring
fiction.
Writer
professionally,
I
work
at
tail
scale
as
the
arch
mage
of
infrastructure
doing
developer
relations
stuff.
It's
worth
noting
that
I'm
not
speaking
for
tail
scale
in
this
talk,
but
I
am
speaking
about
a
project
I
worked
on
at
tailskill.
A
Any
opinions
are
my
own
authentication
and
authorization
are
two
similar
sounding
concepts,
but
they
are
subtly
different
in
ways
that
really
set
them
apart,
so
that
everyone's
on
the
same
page,
here's
my
sre,
cliffs
notes,
versions
of
the
terms
authentication
is
what
makes
sure
you
are
who
or
what
you
say
you
are.
This
is
why
we
use
passwords
spicy
hardware
dongles,
that
pretend
to
be
a
keyboard
and
google
authenticator
codes.
A
A
The
difference
between
the
two
is
that
authentication
would
be
kirby
confirming
who
he
is,
as
the
reincarnation
of
the
god
of
death
and
authorization
would
be
making
sure
that
kirby
has
permission
to
recreate
the
world
in
his
image.
He
would
be
authenticated
as
the
reincarnation
of
dark
matter,
but
he
would
not
be
authorized
to
use
star
dream
to
reshape
planet
pop
star
to
his
will
sorry
for
the
major
spoilers
for
like
every
kirby
game,
there
kirby
lore,
quite
something
so
now
that
we
know
what
authentication
and
authorization
are.
A
Let's
talk
about
the
one
library
that
everyone
across
most
linux
distributions,
unixes
and
macs
use
for
this
pam
pam
is
an
authentication
and
authorization
framework
for
linux
and
unix
systems.
It's
not
really
one
implementation,
but
they're.
All
similar
enough
that
we
can
just
pretend
they're
one
big
happy
implementation,
just
to
keep
things
simple.
A
A
Pam
is
the
result
of
the
90s
making
the
computer
world
a
lot
more
complicated
when
multiple
computers
got
into
the
mix.
Pam
came
around
after
people
realized
that
storing
password
hashes
for
everyone
in
the
system
doesn't
work
very
well.
If
you
make
the
file
with
all
the
password
hashes
world
readable
computer
security
was
a
vastly
different
thing.
When
the
whole
world
ran
on
paper,
eh
pam
was
made
by
the
java
people.
A
So
something
had
to
give
imagine
how
bad
it
would
have
been
if
hackers
could
grab
your
password
hash
over
dns
and
send
it
to
a
cluster
of
four
whole
pvp
11
mini
computers
to
crack
it
pam
ships
with
a
bunch
of
modules
that
let
you
check,
passwords
against
the
local
password
database,
run
arbitrary
commands
on
the
system
check
for
account,
aging
and
change
your
password
by
the
way
that
change
your
password
thing
was
something
that
I
had
a
misconception
about
for
a
while.
When
I
was
learning
this.
A
A
This
stuff
is
hard
to
research,
but
it
turns
out
password
modules
in
pam
are
for
changing
your
password,
not
for
changing
the
authentication
logic
for
using
passwords.
The
freebsd
handbook
helped
clear
that
up
for
me,
freebsd
has
amazing
documentation
by
the
way
check
it
out.
Sometime
at
the
time
c
was
the
best
thing
since
canned
bread,
so
pam
was
written
in
c.
A
A
However,
it's
not
the
90s
anymore,
it's
2022.,
password
theft
is
rampant.
The
computer
in
most
display
controllers
on
fancy
laptops
can
rival
the
computers
that
pam
was
designed
for
two-factor
auth
is
mandatory
for
securing
access
to
production
and,
to
top
it
all
off
sometime.
Somehow,
society
has
agreed
that
oauth2
and
oidc
are
decent
standards.
A
But
we
still
have
pam
in
every
mac,
ubuntu
server
and
all
over
the
cloud.
We
will
probably
still
have
to
deal
with
pam
for
a
very
long
time,
and
it's
been
around
for
about
25
years
now
and
the
longer
something
is
around
the
longer
it'll
take
to
get
rid
of
it.
However,
it's
so
ubiquitous
that
you
can
take
advantage
of
this
to
make
your
servers
do
whatever
you
want
on
login.
A
One
of
the
really
cool
features
about
pam
is
that
every
service
on
the
system
can
have
its
own
rules
when
an
application
starts
an
authentication
session
with
pam,
it
supplies
a
service
name.
This
service
name
is
used
to
enable
administrators
to
set
up
policies
for
that
service,
in
particular
at
a
high
level.
Each
service
has
a
stack
of
these
rules.
A
A
There's
an
upside
to
this,
though,
combined
with
service
specific
configuration.
This
means
that
you
can
set
rules
like
logging
in
with
a
password
means
that
you
need
to
use
a
google
authenticator
code
or
when
a
login
succeeds
log
it
to
slack
or
discord
or
even
if
the
user
gives
you
a
password,
reject
the
authentication
session
and
raise
the
alarm
with
this,
you
can
make
it
difficult
to
do
the
wrong
thing.
It's
just
really
annoying
to
debug.
A
A
A
A
I
had
it
configured
as
an
authentication
module
at
the
top
of
the
stack
I
made
it
put
a
please
god
be
working
message
into
syslog.
I
tried
to
make
it
print
things
to
standard
out.
Nothing
was
working,
so
I
started
googling
how
to
debug
pam,
and
I
got
answers
on
forums
from
2002
that
mentioned
classic
red
hat
linux
and
slackware,
as
if
those
were
the
only
two
linux
distributions
that
exist.
A
I
also
kind
of
remembered
using
it
in
college
a
decade
ago,
so
I
started
the
ssh
server
in
debug
mode
under
the
debugger
and
then
set
a
breakpoint
for
pam
underscore
sm
underscore
authenticate
the
entry
point
to
my
module.
If
I
set
this
breakpoint,
then
surely
I
get
debug
access
to
whatever's
going
on.
At
that
point
I
thought
I
started
sshd
and
I
tried
to
connect
authentication
failed.
A
A
I
eventually
found
what
I
was
looking
for
in
a
sun
os
manual
that
was
so
old.
It
was
an
html
frame
set.
Remember
those
in
the
internet
archive
somehow
only
the
content
of
the
page
was
there
and
the
rest
of
the
frame
set
was
gone,
but
I
got
a
bit
of
c
code
that
would,
let
me
manually
invoke
all
the
steps
that
pam
did
so
I
could
test
a
module
manually.
A
A
So
what
I
need
to
do
is
not
set
my
breakpoint
on
dl
open,
but
I
needed
to
set
it
on
dl.
Sim
dl
sim
is
like
dl
open,
but
it
lets
you
get
the
address
of
a
function
out
of
a
dl
open
handle
so
that
you
can
run
it
based
on
past
experience,
maintaining
a
tire
fire
of
a
chat
server
that
uses
dynamically
loaded
c
modules
everywhere.
Dl
sim
should
normally
be
called
just
before
the
function
gets
called.
A
A
A
This
will
make
your
stack
traces
full
of
hex
pointers
instead
of
names.
However,
you
can
download
the
debug
symbols
and
get
all
the
names
back.
After
remembering
the
right
appt
incantations,
I
was
able
to
dig
through
the
source
code
in
parallel
to
the
debugger
session
after
hacking
around
for
a
while.
A
A
Next
morning,
I
woke
up
and
checked
slack
a
co-worker
had
a
suggestion
and
it
broke
me
a
bit
but
to
understand
why?
Let's
look
at
the
ssh
server
again
ubuntu's
defaults,
ssh
server
is
openbsd's.
Opensshd
opensshd
doesn't
ship
with
pam
support
on
by
default,
because
the
open,
bsd
people
think
that's
insecure.
A
A
A
With
all
that
in
mind,
let's
go
over
the
drawbacks
of
pam's
design
that
I've
learned
most
of
pam's
safety
is
predicated
on
everyone
following
the
rules
and
doing
things
as
safe
as
possible
when
a
pam
module
is
loaded
into
a
service.
The
code
in
that
module
can't
really
assume
anything
about.
What's
going
on,
it
can't
assume,
what's
user,
it's
running
as
what
files
it
has
access
to
the
network
stack
or
just
anything,
it
gets
worse
when
sandboxes
and
containers
are
in
play,
but
in
practice
basically
every
pam
service
either
runs
as
root
or
basically
root.
A
A
A
A
A
A
A
Pam
uses
these
everywhere
with
items
associated
with
the
pam
handle.
This
means
that,
from
a
type
system
level
you
can
put
the
integer
42
into
the
remote
ip
address
string
field
and
the
compiler
will
be
like
yeah
sure
whatever,
but
at
run
time
you
can
get
a
seg
fault
out
of
nowhere.
If
someone
messed
up
most
people
do
follow
the
rules,
though
so
it
usually
works
out.
A
Pam
was
designed
to
have
a
fairly
flexible
configuration
framework
for
systems
administrators,
but
one
of
the
things
they
did
not
do
at
the
pam
level
was
make
it
easy
to
have
third-party
slip
stream
pam
modules
into
the
main
system
without
having
to
have
deep
knowledge
of
the
pam
stack
and
everything
it
does
in
practice.
This
means
that
each
distribution
has
its
own
pam
configuration
mechanism
and
base
pam
configuration
to
deal
with,
and
the
document
station
standards
for
how
to
do
that
can
be
poor.
A
A
A
A
A
If
you
keep
the
scope
of
your
pam
module
small,
you
don't
have
to
worry
about
scope
creep.
If
you
set
out
to
do
one
thing:
do
that
one
thing
and
stop
don't
overthink
this?
If
you
need
to
do
multiple
things,
write
multiple
pam
modules,
less
is
so
much
more
using
pam
in
general.
Doesn't
make
you
doesn't
let
you
make
very
many
assumptions
about
service
configuration
stacks.
A
Anything
could
be
going
on
there
using
pam
on
ubuntu
22.04
makes
you
lets.
You
make
a
lot
of
assumptions
about
the
stack
plan
for
the
today.
That
is
not
for
the
tomorrow
that
might
be
in
practice.
You
should
not
use
handwritten
bindings
to
nec
library,
like
I
did
when
I
implemented
tailpam
use
a
tool
like
bindgen
they're
there,
for
a
reason
also
make
sure
that
your
code
is
fast.
A
A
In
conclusion,
pam
seems
like
a
sheer
terror
at
first,
but
really
it's
just
a
weird
c
library
that
everyone's
standardized
on
it's
fairly
easy
to
extend
with
custom
logic
in
c
or
rust,
and
it
allows
you
to
do
whatever
you
want
with
whatever
you
want.
It's
the
industry
standard
and
you've
used
it
nearly
every
time.
You've
logged
into
a
linux
desktop
it's
kind
of
terrifying,
but
at
least
it's
everywhere.
A
A
Thank
you
all
and
thank
you
for
watching
I'm
going
to
stick
around
in
the
chat
for
questions,
but
if
I
miss
your
question
somehow-
and
you
really
really
want
an
answer
to
it-
please
email
it
to
restconf2022
at
zserve.us
I'll.
Have
the
written
form
of
this
talk
up
on
my
website
soon,
including
my
slide
deck
and
everything
I've
said
today.