noob question: setup mod_authnz_pam on archlinux

[return42]

I'm a noob in PAM (and apache?). I have a small host with a handful of accounts. User can login via ssh. Now I want to use these normal user accounts (and passwords) in HTTP Basic auth. In the past I used AuthExternal (or similar) but today I think mod_authnz_pam is more what I want, so I give it a try .. but at some point I struggle. Here is what I have done.

On archlinux I build the package from https://github.com/return42/mod_authnz_pam and installed the module .. so far, so good.

Now I set up a configuration:

<IfModule !authnz_pam_module>
    LoadModule authnz_pam_module modules/mod_authnz_pam.so
</IfModule>

<Location /closed-share>
    AuthType Basic
    AuthName "www-login"
    AuthBasicProvider PAM
    AuthPAMService www-login
    Require valid-user
    Options +Indexes +FollowSymLinks
</Location>

In /etc/pam.d/www-login I copied what I found in the /etc/pam.d/system-local-login

#%PAM-1.0

auth      include   system-login
account   include   system-login
password  include   system-login
session   include   system-login

Now I open https://example.org/closed-share and the dialog from basic auth pops up. I enter correct name and password, but my login will be rejected. I don't know if it helps, but here is what I see in the apache error log ..

[Thu Jun 25 16:36:40.843528 2020] [ssl:info] [pid 1544273:tid 140203258324736] [client 91.96.136.2:48180] AH01964: Connection to child 5 established (server darmarit.org:443)
[Thu Jun 25 16:36:42.810132 2020] [authnz_pam:warn] [pid 1544273:tid 140203258324736] [client 91.96.136.2:48180] PAM authentication failed for user markus: Authentication failure
[Thu Jun 25 16:36:42.811069 2020] [auth_basic:error] [pid 1544273:tid 140203258324736] [client 91.96.136.2:48180] AH01617: user markus: authentication failure for "/closed-share/": Password Mismatch

Does anyone have a clue where my fail is? / thanks!

[adelton]

I'm not familiar with the archlinux system-login PAM setup. But I wonder if it does anything else than checking the password against /etc/shadow. And assuming Apache HTTP Server does not run as root on archlinux, the process does not have permissions to read that file.
On other systems, to authenticate local users from non-root process, SSSD can be used, together with pam_sss.so. Is there a chance of using SSSD on archlinux?

[return42]

Thanks for fast feedback!

I'm not familiar with the archlinux system-login PAM setup.

auth       required   pam_tally2.so        onerr=succeed file=/var/log/tallylog
auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_tally2.so 
account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
session   optional   pam_systemd.so
session    required   pam_env.so

But I wonder if it does anything else than checking the password against /etc/shadow

Does it? .. I don't know (sorry I'm really a noob in such subjects). The logins I want to use are listed in the /etc/passwd, this file is readable by "others". But I a can't assess if it is a problem (for PAM modules) when apache not runs as root (I use the normal "http" user for the apache service).

On other systems, to authenticate local users from non-root process, SSSD can be used,

I haven't set up a SSSD so far .. but I guess it is much more I need (I want) .. I was looking for a "simple" solution for my really simple scenario (using ssh login for HTTP also) and thought mod_authnx_pam is the choice .. Do you have any idea what else I could try? / thanks!

[return42]

Strange, I changed apach conf to be invalid:

...
<Location /closed-share>
    AuthType Basic
    AuthName "www-loginxxxx"
    AuthBasicProvider PAM
    AuthPAMService www-loginxxx
    Require valid-user
    Options +Indexes +FollowSymLinks
</Location>

But the log message is the same:

[authnz_pam:warn]  authentication failed for user markus: Authentication failure

I guess there is something complete wrong with my installation?

update:I looked at the sources, it seems there are no causality tests .. the message is typical for the most kind of fails.

[adelton]

But I wonder if it does anything else than checking the password against /etc/shadow

Does it? .. I don't know (sorry I'm really a noob in such subjects).

I phrased it wrong. Of course there are other actions taken in the PAM stack but ultimately the hashed password is stored in /etc/shadow so against that the password needs to be verified. What I mean was that it's unlikely that the PAM stack would be out of box configured to spawn a set-uid binary which would do the check, or something like that.

The logins I want to use are listed in the /etc/passwd, this file is readable by "others". But I a can't assess if it is a problem (for PAM modules) when apache not runs as root (I use the normal "http" user for the apache service).

Login names are in /etc/passwd. But passwords?

[adelton]

You should dig into the system-auth to see how things are configured.

On Fedora, pam_unix.so (not enabled by any PAM auth configuration by default) can use helper binary unix_chkpwd to check the passwords in /etc/shadow. Look at man pages to see if something similar is available on archlinux. If there is, simply using

auth       required   pam_unix.so

should enable the password checking even for unprivileged users.

To test if the approach works at all, before attempting to configure Apache, try

pamtester www-login markus authenticate

as non-root user. That should give the indication of the feasibility of the approach.

[return42]

Thanks a lot for your hints! ... I tested both PAM configurations, the short one you suggested and the www-login from mine which was copied from the system-local-login.

Both configuration do work with pamtester .. when I run pamtest with my "markus" account (which is in the sudoer)

[markus@foo]$ pamtester www-login markus authenticate
Password: 
pamtester: successfully authenticated

The apache runs with the 'http' system account, so I tested this also:

[markus@foo]$ sudo -H -u http bash
[http@foo]$ /usr/sbin/pamtester  www-login markus authenticate
Password: 
pamtester: Authentication failure

The cause apparently lies in the http account. I have to take a closer look at that. If I find the cause I'll be back.

update: on Ubuntu the pamtest works when the caller is www-data (which is the system account used by apache on debian/ubuntu) .. but I can't say what the difference is compared to archlinux .. on ubuntu there is a shadow group with read access to the /etc/shadow file.. can it possibly be related to this? ... what are the PAM executables when I use pam_unix.so .. may they have a set-group-ID bit?

[return42]

I'm still fighting with on archlinux / in the meantime I got pamtest working (even for the service user 'http'):

groupadd --system shadow
chgrp shadow  /etc/gshadow
chmod g+r /etc/gshadow
chgrp shadow  /etc/shadow
chmod g+r /etc/shadow

# set-group-ID bit
chgrp shadow  /sbin/unix_chkpwd
chmod 02755   /sbin/unix_chkpwd
if [[ -e /sbin/pam_extrausers_chkpwd ]]; then
    chgrp shadow  /sbin/pam_extrausers_chkpwd
    chmod 02755   /sbin/pam_extrausers_chkpwd
fi

But now I have an issue when mod_auth_pam is the process / If anyone is interested, I have created a small lxc suite in which I test all of it: https://github.com/return42/lxc-suite#mod-authnz-pam-archlinux

[adelton]

You shouldn't play with /etc/shadow permissions and deviate from the setup that the OS provides out of box. Chances are you are creating path for security issue down the road. Please consult with the archlinux folks about the expected PAM setup and behaviour.

[return42]

You shouldn't play with /etc/shadow permissions

Thanks for your hint / Debian has a official libapache2-mod-authnz-pam package, archlinux does not have official packages for mod_authnz_pam.

Setting /etc/shadow permissions (and set-group-ID bit) is how debian solves the password checking even for unprivileged users. Archlinux does not have a concept in PAM for "unprivileged users".