BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

mod_auth_pam

Subject: mod_auth_pam
From: adler at stephenadler.com (Stephen Adler)
Date: Fri, 18 Aug 2006 13:01:33 -0400
In-reply-to: <44E5E16B.2020202@mattgillen.net>
References: <44E5D3B1.8060508@stephenadler.com> <44E5D772.1080700@mattgillen.net> <44E5D911.6080407@stephenadler.com> <Pine.LNX.4.64.0608181138530.6226@localhost.localdomain> <44E5E06A.5070800@stephenadler.com> <44E5E16B.2020202@mattgillen.net>

Success... sort of....

I finally got it to work. Actually it was all documented, (how to set it 
up,) and it was just a question of RTFM'ing.

The mod_auth_pam pretty much worked right out of the box. (i.e. it was 
never the problem
of my inability to authenticate.) The httpd configureation file (and 
this is for redhat enterprise linux 4) looks like

[root at qmt0 init.d]# cat /etc/pam.d/httpd
#%PAM-1.0
auth       required     /lib/security/pam_unix.so
account    required     /lib/security/pam_unix.so

So, the two things I had to do was fix ypserv to allow shadow.name to be 
access from a port greater than 1024 by modifying /etc/ypserf.conf, and 
change the group on the /etc/shadow to apache and chmod it to 440. 
(ouch...) I sort blew a hole in the security of my system... but at 
least now I can authenticate. :)

Thanks to everyone for their help!

Cheers. Steve.

Matthew Gillen wrote:
> Stephen Adler wrote:
>   
>> I tried the system-auth, but the httpd mod_auth_pam could not find the
>> appropriate pam modules. :(
>>
>> [root at qmt0 pam.d]# more httpd
>> #%PAM-1.0
>>
>> auth       required     /lib/security/pam_unix.so
>> account    required     /lib/security/pam_unix.so
>>
>> #auth       include      system-auth
>> #account    include      system-auth
>>
>> the commented out lines were what I tried...
>>     
>
> For what it's worth, here's the contents of my system-auth:
> $ cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        required      pam_deny.so
>
> account     required      pam_unix.so
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass
> use_authtok
> password    required      pam_deny.so
>
> session     required      pam_limits.so
> session     required      pam_unix.so
>
> ------------------------
>
> HTH,
> Matt
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://olduvai.blu.org/mailman/listinfo/discuss
>
>

References:
- mod_auth_pam
  - From: adler at stephenadler.com (Stephen Adler)
- mod_auth_pam
  - From: me at mattgillen.net (Matthew Gillen)
- mod_auth_pam
  - From: adler at stephenadler.com (Stephen Adler)
- mod_auth_pam
  - From: gboyce at badbelly.com (gboyce)
- mod_auth_pam
  - From: adler at stephenadler.com (Stephen Adler)
- mod_auth_pam
  - From: me at mattgillen.net (Matthew Gillen)

Prev by Date: subversion
Next by Date: Boston Plone Meetup, Thu Aug 24, 7:00 PM (RSVP stats: 5 Yes, 0 Maybe, 2 No)
Previous by thread: mod_auth_pam
Next by thread: Boston Plone Meetup, Thu Aug 24, 7:00 PM (RSVP stats: 5 Yes, 0 Maybe, 2 No)
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org