pam_exec

pam_exec.so [debug] [expose_authtok] [seteuid] [parameter=value ...]

debug
    Enables debugging output in the system log.

expose_authtok
    Exposes the authentication token (password) to the executed command via environment variables.

seteuid
    Sets the effective UID to the UID of the user being authenticated before executing the command.

uid=user
    Specify a user to run the command as. If not specified, runs as the authenticating user.

gid=group
    Specify a group to run the command as. If not specified, runs as the authenticating user's primary group.

onerr=[ignore|fail]
    Handle script errors. Ignore or fail. Default is ignore.

pam_exec is a PAM (Pluggable Authentication Modules) module that allows you to execute external commands during the authentication process.
It can be configured to run scripts at different stages of authentication, such as before or after successful authentication, or even on account management events.
This module is versatile and can be used to automate tasks, enforce security policies, or integrate with other systems.
The command is executed with the uid and gid of the current user.
Keep in mind security implications when using pam_exec, as poorly written scripts can introduce vulnerabilities.

Using `expose_authtok` is generally discouraged due to significant security risks. The executed script has access to the user's password. Ensure any scripts called by pam_exec are carefully written and secured to prevent vulnerabilities. Also, pam_exec does not handle command timeouts, which can lead to denial-of-service attacks if a script hangs. Permissions are important. Consider using a less privileged user to execute the command.

Always exercise caution when using pam_exec. Any script executed via pam_exec runs with the privileges of the user being authenticated (or a specified user).
Carefully validate all input and ensure that the script does not introduce security vulnerabilities such as command injection. Regularly audit scripts to ensure they adhere to security best practices.

Common use cases include logging authentication attempts, updating user information in external databases, triggering alerts for failed login attempts, and integrating with two-factor authentication systems that lack native PAM support.
It's also utilized in synchronizing user accounts across multiple systems.

pam_exec is a standard PAM module, developed as part of the PAM framework. It provides a generic mechanism for extending PAM functionality by executing external commands.
It's been available in most Linux distributions for a long time, serving as a crucial component for customization and integration within authentication processes.

pam(8), pam.conf(5)