-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
noob question: setup mod_authnz_pam on archlinux #12
Comments
I'm not familiar with the archlinux |
Thanks for fast feedback!
Does it? .. I don't know (sorry I'm really a noob in such subjects). The logins I want to use are listed in the /etc/passwd, this file is readable by "others". But I a can't assess if it is a problem (for PAM modules) when apache not runs as root (I use the normal "http" user for the apache service).
I haven't set up a SSSD so far .. but I guess it is much more I need (I want) .. I was looking for a "simple" solution for my really simple scenario (using ssh login for HTTP also) and thought mod_authnx_pam is the choice .. Do you have any idea what else I could try? / thanks! |
Strange, I changed apach conf to be invalid: ...
<Location /closed-share>
AuthType Basic
AuthName "www-loginxxxx"
AuthBasicProvider PAM
AuthPAMService www-loginxxx
Require valid-user
Options +Indexes +FollowSymLinks
</Location> But the log message is the same:
I guess there is something complete wrong with my installation? update:I looked at the sources, it seems there are no causality tests .. the message is typical for the most kind of fails. |
I phrased it wrong. Of course there are other actions taken in the PAM stack but ultimately the hashed password is stored in
Login names are in |
You should dig into the On Fedora,
should enable the password checking even for unprivileged users. To test if the approach works at all, before attempting to configure Apache, try
as non-root user. That should give the indication of the feasibility of the approach. |
Thanks a lot for your hints! ... I tested both PAM configurations, the short one you suggested and the www-login from mine which was copied from the system-local-login. Both configuration do work with pamtester .. when I run pamtest with my "markus" account (which is in the sudoer)
The apache runs with the 'http' system account, so I tested this also:
The cause apparently lies in the http account. I have to take a closer look at that. If I find the cause I'll be back. update: on Ubuntu the pamtest works when the caller is |
I'm still fighting with on archlinux / in the meantime I got pamtest working (even for the service user 'http'): groupadd --system shadow
chgrp shadow /etc/gshadow
chmod g+r /etc/gshadow
chgrp shadow /etc/shadow
chmod g+r /etc/shadow
# set-group-ID bit
chgrp shadow /sbin/unix_chkpwd
chmod 02755 /sbin/unix_chkpwd
if [[ -e /sbin/pam_extrausers_chkpwd ]]; then
chgrp shadow /sbin/pam_extrausers_chkpwd
chmod 02755 /sbin/pam_extrausers_chkpwd
fi But now I have an issue when mod_auth_pam is the process / If anyone is interested, I have created a small lxc suite in which I test all of it: https://github.com/return42/lxc-suite#mod-authnz-pam-archlinux |
You shouldn't play with |
Thanks for your hint / Debian has a official libapache2-mod-authnz-pam package, archlinux does not have official packages for mod_authnz_pam. Setting /etc/shadow permissions (and set-group-ID bit) is how debian solves the password checking even for unprivileged users. Archlinux does not have a concept in PAM for "unprivileged users". |
I'm a noob in PAM (and apache?). I have a small host with a handful of accounts. User can login via ssh. Now I want to use these normal user accounts (and passwords) in HTTP Basic auth. In the past I used AuthExternal (or similar) but today I think mod_authnz_pam is more what I want, so I give it a try .. but at some point I struggle. Here is what I have done.
On archlinux I build the package from https://github.com/return42/mod_authnz_pam and installed the module .. so far, so good.
Now I set up a configuration:
In
/etc/pam.d/www-login
I copied what I found in the/etc/pam.d/system-local-login
Now I open https://example.org/closed-share and the dialog from basic auth pops up. I enter correct name and password, but my login will be rejected. I don't know if it helps, but here is what I see in the apache error log ..
Does anyone have a clue where my fail is? / thanks!
The text was updated successfully, but these errors were encountered: