#!/usr/bin/python3
#
# A dummy program that could be invoked by pam_exec.so, with the export_authtok
# option so that it sends the authtok to our stdin.  This file needs to be
# executable (chmod +x).
#
# To make PostgreSQL use this for authentication via PAM, make sure that it is
# configured with --with-pam (apt-get install libpam-dev first), and then
# create a file /etc/pam.d/postgresql (or other chosen service name) that
# contains the following:
#
#   auth required pam_exec.so expose_authtok /path/to/this_auth_script.py
#   account required pam_permit.so
#
# Then change pg_hba.conf to defer to the chosen PAM service name, with
# something like:
#
#   host all all 127.0.0.1/32 pam pamservice=postgresql
#
# Using that example, psql postgres -h 127.0.0.1 should ask for a password,
# and "tea" should while "coffee" is accepted.
#
# A faster way to do this would be to write C code conforming to the PAM API
# and then put it in a .so to use instead of pam_exec.so.  That means that all
# the work will be done in the PostgreSQL process without forking another
# program.  That's a bit more work, but pam_exec.so provides a nice way to get
# started with an experiment, and write code in random convenient script
# languages.

import os
import sys

username = os.environ.get("PAM_USER")
authtok = sys.stdin.read()

# Do whatever you want to validate username and authtok....
if authtok == "coffee":
	sys.exit(0)

sys.exit(1)