...
This script reads the following environment variables:
| PAM_USER | The system user for whom the PAM operation is running |
| PAM_AUTHTOK | The user's password (in case of a password change operation, the new password) |
| PAM_SERVICE | The service that invoked PAM (e.g. sshd when the user is attempting to log in through SSH) |
This script checks, first, if it is running as root or not (the PAM stack does not necessary run as root, but as the user as which the service that invoked it is running). If it is, it proceeds to encrypt the user's password (${PAM_AUTHTOK}) as an N '@@@' and update it in the 'value' column of the 'radcheck' table in the 'radius' MySQL database for the entry where the value of the 'username' column matches the user's username (${PAM_USER}). Due to the nature of the SQL query used, there needs to already be an entry in the table containing the matching username in the 'username' column (for functionality it should actually also already contain the appropriate values for the remaining columns, except the 'value' column). If it is not running as root, it uses a workaround to escalate its privileges. It uses the available credentials to SSH into localhost as the user in question, causing the SSH daemon to run a new instance of the PAM stack to verify the user's credentials (and sshd runs the PAM stack as root)
Installation
Replication of production setup
...