Problem with mod_auth_pam when SSL is enable

Hi

I seem to be having a problem with mod_auth_pam when I enable SSL on an 
Apache instance. It works fine for all my virtual hosts if there is no 
SSL host configured, but if I configure a default SSL host I get 
segmentation faults. Any advice would be gratefully received. I'm using 
Apache 2.0.52 on RHEL4 Update4.

Here's the httpd pam.d entry...

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so

...and the .htaccess file...

AuthName "Test Group"
AuthType Basic
AuthGroupFile /home/adweb/www.its.ex.ac.uk/etc/test
require group its1

Thanks,
Bill

An Apache trace...

pam_krb5 and blank passwords.

We've been using this auth configuration to allow login with krb5 (AD)
or with a unix password:

auth        required      pam_env.so
auth        sufficient    pam_krb5.so
auth        sufficient    pam_unix.so use_first_pass
auth        required      pam_deny.so

The way this works has changed between pam-0.79 + pam_krb5-2.1.15
and pam-0.99.6.2 + pam_krb5-2.2.11.

Previously if a user had an AD account but no password set they
could not login with a blank password - now they can.  This 
probably should be fixed in AD but I was wondering if there's a 
way of doing it through pam.

Thanks
---
Ian

Re: Problem with mod_auth_pam when SSL is enabled

Thanks, now sorted with new pam.d/httpd entry...

#%PAM-1.0
auth       required     /lib/security/pam_ldap.so
account    required     /lib/security/pam_ldap.so

Regards,
Bill

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

How can a process find out its resource limits -- particularly rtprio

The functions sched_get_priority_max() and sched_get_priority_min()
return the max and min priorities available for the scheduling policy in
force (currently 99 and 1 for SCHED_RR).  

What method can be used to discover the max priority currently available
to the current process, as controlled by /etc/security/limits.conf (or
whatever controls it at the time of the inquiry)?  More generally, how
can a process discover what values are set in /etc/security/limits.conf?

In particular this is for the kernel 2.6.19-1.2895.fc6 running
(naturally) under Fedora Core 6.

I hope this is a stupid question.

Thanks - jon

Re: How can a process find out its resource limits -- particularly rtprio

* Jonathan Ryshpan 

| What method can be used to discover the max priority currently available
| to the current process, as controlled by /etc/security/limits.conf (or
| whatever controls it at the time of the inquiry)?  More generally, how
| can a process discover what values are set in /etc/security/limits.conf?

Use getrlimit(2).  That gives you the current limits, not necessarily
the ones specified in /etc/security/limits.conf, though.

--

-- 
Tollef Fog Heen                                                        ,''`.
UNIX is user friendly, it's just picky about who its friends are      : :' :
                                                                      `. `' 
                                                                        `-  

Re: pam_krb5 and blank passwords.

I'm not sure what the problem might be, but I can say I think there is a 
better pam_krb5 module than the one that comes with RedHat:

<http://www.eyrie.org/~eagle/software/pam-krb5/>

--On Wednesday, February 07, 2007 3:03 PM +1000 Ian Mortimer 
<ian <at> physics.uq.edu.au> wrote:

> We've been using this auth configuration to allow login with krb5 (AD)
> or with a unix password:
>
> auth        required      pam_env.so
> auth        sufficient    pam_krb5.so
> auth        sufficient    pam_unix.so use_first_pass
> auth        required      pam_deny.so
>
> The way this works has changed between pam-0.79 + pam_krb5-2.1.15
> and pam-0.99.6.2 + pam_krb5-2.2.11.
>
> Previously if a user had an AD account but no password set they
> could not login with a blank password - now they can.  This
> probably should be fixed in AD but I was wondering if there's a
> way of doing it through pam.
>
>
> Thanks
> ---
> Ian
>
> _______________________________________________

pam_cracklib build problem

I'm trying to build pam_cracklib out of the latest Linux-PAM sources,
and failing miserably. The module does not appear to build by default,
and configure --help does not show any flags for how to enable it. If I
tweak the modules/pam_cracklib Makefile, I can get a .o, but it then
blows up with a libtool error on the make install target.

Googling has so far not yielded anything useful. Does anyone have any
pointers?
--
Marcin Krzysztof Porwit
mporwit <at> centeris.com

#include <stddisclaimer.h>

Re: pam_cracklib build problem

On Wed, Feb 14, Marcin Krzysztof Porwit wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I'm trying to build pam_cracklib out of the latest Linux-PAM sources,
> and failing miserably. The module does not appear to build by default,
> and configure --help does not show any flags for how to enable it. If I
> tweak the modules/pam_cracklib Makefile, I can get a .o, but it then
> blows up with a libtool error on the make install target.
> 
> Googling has so far not yielded anything useful. Does anyone have any
> pointers?

At first, the error message would be usefull. But I guess it would
be already enough too look, what configure does not found. I would
expect the cracklib libraries. No cracklib libraries, no pam_cracklib.

  Thorsten

--

-- 
Thorsten Kukuk, Project Manager Base System, Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)

Re: pam_cracklib build problem

Thorsten,

I didn't post the message because it was generated after I mucked around
with the Makefile manually, so I assume it was a result of something I
did. I do have cracklib on my system -- how do I tell configure to use
it? Standard options like --with-cracklib=<cracklib_prefix> don't appear
to do the trick...

Thorsten Kukuk wrote:
> On Wed, Feb 14, Marcin Krzysztof Porwit wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I'm trying to build pam_cracklib out of the latest Linux-PAM sources,
>> and failing miserably. The module does not appear to build by default,
>> and configure --help does not show any flags for how to enable it. If I
>> tweak the modules/pam_cracklib Makefile, I can get a .o, but it then
>> blows up with a libtool error on the make install target.
>>
>> Googling has so far not yielded anything useful. Does anyone have any
>> pointers?
> 
> At first, the error message would be usefull. But I guess it would
> be already enough too look, what configure does not found. I would
> expect the cracklib libraries. No cracklib libraries, no pam_cracklib.
> 
>   Thorsten
> 

Re: pam_cracklib build problem

On Wed, Feb 14, Marcin Krzysztof Porwit wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Thorsten,
> 
> I didn't post the message because it was generated after I mucked around
> with the Makefile manually, so I assume it was a result of something I
> did. I do have cracklib on my system -- how do I tell configure to use
> it? Standard options like --with-cracklib=<cracklib_prefix> don't appear
> to do the trick...

Check the configure output and config.log why configure thinks your
cracklib version is unuseable.

  Thorsten
--

-- 
Thorsten Kukuk, Project Manager Base System, Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)