Run Script at fail login attempt?
Lately, I’ve been trying to create a Bash script to capture a webcam photo when a fail attempt to login is registered. First of all, I found 2 guides related to this (links at the end), they explained how to create script etc.. It was going pretty good until I noticed my System (Archlinux, Fresh installation) doesn’t have PAM’s common-auth file. I’ve checked the entire /etc/pam.d/ directory and still can’t find the file or a file with same contents.
My Script so far:
#!/bin/bash
# Let's watch our thief's face n.n
ts=$(date +"%m_%d_%Y_%H_%M_%S")
ffmpeg -f video4linux2 -s vga -i /dev/video0 -vframes 3 /home/haoa2/Logins-Fail/login-$ts.jpg
exit 0
My /etc/pam.d/ directory contents:
chage,
chfn,
chgpasswd,
chpasswd,
chsh,
groupadd,
groupdel,
groupmems,
groupmod,
login,
newusers,
other,
passwd,
polkit-1,
rlogin,
rsh,
shadow,
slim,
su,
sudo,
su-l,
system-auth,
systemd-user,
system-local-login,
system-login,
system-remote-login,
system-services,
useradd,
userdel, and
usermod
The orginal answer, and a tutorial-like answer.
(Note: I know there is a related answer out there, but this quetion is more about the PAM’s file rather than Scripting.)
First of all, if files are missing, it does not mean you should not create them. The common-* files available on Debian are just regular PAM configuration files, however, they are included in any other file which requires them. For instance, on Debian, at the end of the su file, you may find:
@include common-auth
@include common-account
@include common-session
Since you don’t have these files, I believe these include directives are not present. Since Arch’s philosophy is to provide a minimal distribution, customisable by the user, you could perfectly create those common-* files and include them in those that are expected to use them.
However in your case, I would rather recommend that you target the PAM configuration file used at login (what you are trying to achieve is not a common operation, since it only targets the auth primitive, at login time). Have a look at /etc/pam.d/login and modify it in order to include your new PAM rule.
In my case, my login file ends with @include common-auth, which include the following chain. You should find something similar at the end of your login file.
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
Basically, this tries to authenticate against basic UNIX mechanisms (passwd and shadow). If it succeeds, then success=1 will have PAM jump the next rule. In this case, pam_deny will be ignored, and we’ll reach pam_permit.so automatically, allowing user access.
On the other hand, if pam_unix fails, there will be no jumping and the user will be sent straight to pam_deny. Since it is a requisite rule, the user will be denied access whatever happens next.
Finally, pam_cap is an optional rule which isn’t really involved in the login process. However, it’ll be executed whatever happens (which may be handy for logging). In your case, you could do something like…
# Jump two rules if login succeeds.
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth optional pam_exec.so [your cam script]
auth requisite pam_deny.so
# User gets here if authentication is successful. No denying, no cam module.
auth required pam_permit.so
auth optional pam_cap.so
If you’re unfamiliar with PAM internals, I would recommend this page which I found very helpful myself when I set up my PAM logic. Going through this page will definitely help you understanding how PAM works, and where to implement your logic precisely.
Another thing: you might want to make sure your camera is up to the task before running the script. Make sure the kernel video module is loaded, and so on.