headers
Kenneth Geisshirt | 1 Apr 2008 10:10
Picon
Gravatar

Re: Apache PAM Auth module

Quoting Jason Clifford <jason <at> ukpost.com>:

> On Mon, 2008-03-31 at 14:19 -0500, Barry Brimer wrote:
>> I don't know how feasible it is, but if it is possible could a  
>> service name be
>> considered as a directive option so you could have multiple pam  
>> configurations
>> for different/multiple uses of the module?
>
> It's very easy to do. I used a version with that hack in it back in
> 2000.
>
> Not sure if I still have a copy of the source anywhere though.

If (or when) I take over as maintainer, I'll be happy to integrate  
such a patch. But I can easily imagine that it's not the most  
difficult thing to do.

/kneth

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Permalink | Reply | 0 comments |
headers
Heiko Hund | 1 Apr 2008 16:51

Re: Apache PAM Auth module

Hi,

On Monday 31 March 2008 20:42:05 Kenneth Geisshirt wrote:
> The reason for my interest is that I (and a group of friends) have a
> subversion repositories with HTTP access. It seems like a good idea to
> use PAM as part of the .htaccess file.

have you considered using mod_auth(nz)_external or mod_auth(n)_sasl for this 
task? The main concern I had using mod_auth_pam in httpd was that it does not 
work with shadow passwords unless you grant httpd access to /etc/shadow. I 
think that's a bad idea.

With the modules mentioned above you can use PAM as well, but the actual 
authentication is done after an indirection and takes place outside of the 
httpd process. Of course you need some other elevated entity to 
access /etc/shadow then. In case of mod_auth(nz)_external that is a suid-root 
binary (pwauth). In case of mod_auth(n)_sasl it is saslauthd, which you might 
already be using if you host secure SMTP, IMAP or LDAP on the box.

Regards
Heiko
Permalink | Reply | 4 comments |
headers
Les Mikesell | 1 Apr 2008 17:59

Re: Apache PAM Auth module

Heiko Hund wrote:
> Hi,
> 
> On Monday 31 March 2008 20:42:05 Kenneth Geisshirt wrote:
>> The reason for my interest is that I (and a group of friends) have a
>> subversion repositories with HTTP access. It seems like a good idea to
>> use PAM as part of the .htaccess file.
> 
> have you considered using mod_auth(nz)_external or mod_auth(n)_sasl for this 
> task? The main concern I had using mod_auth_pam in httpd was that it does not 
> work with shadow passwords unless you grant httpd access to /etc/shadow. I 
> think that's a bad idea.
> 
> With the modules mentioned above you can use PAM as well, but the actual 
> authentication is done after an indirection and takes place outside of the 
> httpd process. Of course you need some other elevated entity to 
> access /etc/shadow then. In case of mod_auth(nz)_external that is a suid-root 
> binary (pwauth). In case of mod_auth(n)_sasl it is saslauthd, which you might 
> already be using if you host secure SMTP, IMAP or LDAP on the box.

I can't find much documentation on how to glue these together but it 
does sound like it would work for my situation if the performance hit 
from an external process to authenticate every page isn't too bad.

Is there an example of the configuration needed for web authentication 
with no account info somewhere?  I'm using Centos and am fairly sure the 
smtp and imap authentication already tracks the system PAM configuration 
so the sasl/pam setup is probably already there.

--

--
(Continue reading)

Permalink | Reply | 1 comment |
headers
Kenneth Geisshirt | 2 Apr 2008 09:30
Picon
Gravatar

Re: Apache PAM Auth module

Quoting Heiko Hund <heiko <at> ist.eigentlich.net>:

> Hi,
>
> On Monday 31 March 2008 20:42:05 Kenneth Geisshirt wrote:
>> The reason for my interest is that I (and a group of friends) have a
>> subversion repositories with HTTP access. It seems like a good idea to
>> use PAM as part of the .htaccess file.
>
> have you considered using mod_auth(nz)_external or mod_auth(n)_sasl for this
> task? The main concern I had using mod_auth_pam in httpd was that it does not
> work with shadow passwords unless you grant httpd access to /etc/shadow. I
> think that's a bad idea.

You have a point in respect to the shadow issue. Typically, I only add  
the apache user
to the shadow group and the httpd process does not run under this  
group. Moreover, for
an internal web server/subversion repository this might not be so big  
a problem.

But I'll take a look at mod_auth(nz)_* modules - it seems to be worth it.

Thanks,
   kneth

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Permalink | Reply | 1 comment |
headers
Heiko Hund | 2 Apr 2008 13:26

Re: Apache PAM Auth module

On Tuesday 01 April 2008 17:59:29 Les Mikesell wrote:
> > With the modules mentioned above you can use PAM as well, but the actual
> > authentication is done after an indirection and takes place outside of
> > the httpd process. Of course you need some other elevated entity to
> > access /etc/shadow then. In case of mod_auth(nz)_external that is a
> > suid-root binary (pwauth). In case of mod_auth(n)_sasl it is saslauthd,
> > which you might already be using if you host secure SMTP, IMAP or LDAP on
> > the box.
>
> I can't find much documentation on how to glue these together but it
> does sound like it would work for my situation if the performance hit
> from an external process to authenticate every page isn't too bad.

Check that saslauthd is running and is using PAM as it's backend. You can tell 
from the -a command line option which backend it uses. Then make sure httpd 
has rw access to the unix socket given to saslauthd as the -m option.

I think performance should be sufficient if you prefork enough saslauthd 
instances (-n option) for your needs. If not it might be worth considering to 
implement some kind of caching into the httpd module. Please let me know if 
you run in troubles here.

> Is there an example of the configuration needed for web authentication
> with no account info somewhere?  I'm using Centos and am fairly sure the
> smtp and imap authentication already tracks the system PAM configuration
> so the sasl/pam setup is probably already there.

For the httpd module part I can only help you on how it is done with 
mod_authn_sasl, which I maintain. A sample .htaccess would look like:
(Continue reading)

Permalink | Reply | 0 comments |
headers
Peter | 2 Apr 2008 23:38

Re: Apache PAM Auth module

There seems to be view around that the apache2 module development situation is quote "a real mess". Anyway
be aware that under Debian Etch (and Lenney) there are ongoing issues with mod_authn_dbd when running
with mysql, and to a lesser extent pgsql.

See :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405773
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=434562

I spent a nightmare of a couple days trying first to get mod-auth-mysql, then mod-auth-pam + libpam-mysql
as well as mod-authn-dbd to run under Debian Etch. The latter straight out just doesnt support mysql, and
also its deb package fails to load the required dep mod_dbd. The former is no longer is maintained and no
longer compiles. I eventually got mod-auth-pam + libpam-mysql to work despite an more or less vaccum in
the documentation dept.

Following the guide here:
http://dev.e-taxonomy.eu/trac/wiki/ApacheMySQLAuthentication

got me into trouble. I sent the below erata to the author:

Regards

Peter

Thanks for providing this page, but unfortunately it is presently a liability. The errors are as follows, i
would be grateful if you could correct them.

"Next, we have to configure the PAM-MySQL module for Apache2. Edit /etc/pam.d/apache2, add the following
line setting the values such as they match your configuration

auth sufficient pam_mysql.so verbose=1 user=webuser passwd=  host=160.45.63.30 db=drupal5
(Continue reading)

Permalink | Reply | 0 comments |
headers
shaul Karl | 3 Apr 2008 02:46
Picon
Favicon

Does ` <at> include' equivalent to `include'?

Am I right that the directive  <at> include, including the
prefix character  <at> , is not documented? 

And another thing: Does the list archive search able?

      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
Permalink | Reply | 3 comments |
headers
Tomas Mraz | 3 Apr 2008 08:11
Picon
Favicon

Re: Does ` <at> include' equivalent to `include'?

On Wed, 2008-04-02 at 17:46 -0700, shaul Karl wrote:
> Am I right that the directive  <at> include, including the
> prefix character  <at> , is not documented? 
The  <at> include directive is not supported by Linux-PAM upstream at all.
There might be some distributions which patch it in.
This directive is equivalent to using the regular include directive for
all of the stacks and as it thus doesn't bring anything new and really
useful, the patch was not applied to upstream sources.
--

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
Permalink | Reply | 2 comments |
headers
Thorsten Kukuk | 4 Apr 2008 14:56
Picon

Linux-PAM 1.0.0 released


Hello,

After a very, very long time, the Linux-PAM developement team is 
pleased to announce the release of version 1.0.0.

Against version 0.99.10.0, only some small bug fixes were
added and some translations updated.

To show that this are no longer pre-releases, but really a
final stable one, the path on kernel.org has changed:

/pub/linux/libs/pam/documentation/Linux-PAM-1.0.0-docs.tar.*
/pub/linux/libs/pam/library/Linux-PAM-1.0.0.tar.*

  Thorsten

--

-- 
Thorsten Kukuk         http://www.suse.de/~kukuk/      kukuk <at> suse.de
SUSE LINUX Products GmbH       Maxfeldstr. 5       D-90409 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = 8C6B FD92 EE0F 42ED F91A  6A73 6D1A 7F05 2E59 24BB
Permalink | Reply | 3 comments |
headers
shaul Karl | 5 Apr 2008 03:03
Picon
Favicon

Re: Does ` <at> include' equivalent to `include'?

  For the record, http://bugs.debian.org/474291 claims
that include is not equivalent to  <at> include. Since I
don't know what the differences are, I can't comment
on the assertion below about the equivalence for all
the stacks and not bringing anything new or really
useful.

--- Tomas Mraz <tmraz <at> redhat.com> wrote:

> On Wed, 2008-04-02 at 17:46 -0700, shaul Karl wrote:
> > Am I right that the directive  <at> include, including
> the
> > prefix character  <at> , is not documented? 
> The  <at> include directive is not supported by Linux-PAM
> upstream at all.
> There might be some distributions which patch it in.
> This directive is equivalent to using the regular
> include directive for
> all of the stacks and as it thus doesn't bring
> anything new and really
> useful, the patch was not applied to upstream
> sources.
> -- 
> Tomas Mraz
> No matter how far down the wrong road you've gone,
> turn back.
>                                              
> Turkish proverb
> 
> _______________________________________________
(Continue reading)

Permalink | Reply | 1 comment |

Gmane