mod_auth_pam
Matthew Gillen
me at mattgillen.net
Fri Aug 18 11:36:17 EDT 2006
I don't think that's how PAM authentication works. The httpd daemon should
not be making calls directly to NIS. The local NIS client (ypbind) should be
doing that on behalf of anything that uses PAM as a backend. (check for
yourself: from your log message below, the port that was refused was 34502;
what does 'rpcinfo -p' return on your webserver machine? Is 34502 in that list?)
I don't have any better ideas if changing /etc/pam.d/httpd didn't work, but I
don't think the problem has to do with httpd->ypserver interaction. More
likely it's ypbind->ypserver or httpd->ypbind.
Matt
Stephen Adler wrote:
> I think its coming down to the fact that httpd is on a port which is
> greater than 1024 and there is something in ypserv.conf about
> restricting getting shadow.byname to high port number requests.
>
> snipit from /etc/ypserv.conf
> # Not everybody should see the shadow passwords, not secure, since
> # under MSDOG everbody is root and can access ports < 1024 !!!
> * : * : shadow.byname : port
> * : * : passwd.adjunct.byname : port
>
> I need to do more research on ypserv.conf...
>
> Matthew Gillen wrote:
>> It doesn't seem like this should make a difference, but here's what
>> mine looks
>> like:
>> $ cat /etc/pam.d/httpd
>> #%PAM-1.0
>> auth include system-auth
>> account include system-auth
>> # Comment out the previous account line and uncomment the following
>> line if
>> # you wish to allow logins that don't have a system account
>> #account required pam_permit.so
>>
>>
>> Stephen Adler wrote:
>>
>>> I'm running red hat enterprise linux 4.
>>>
>>>
>>> [root at qmt0 init.d]# cat /etc/pam.d/httpd
>>> #%PAM-1.0
>>> auth required /lib/security/pam_unix.so
>>> account required /lib/security/pam_unix.so
>>>
>>> it is there....
>>>
>>> Matthew Gillen wrote:
>>>
>>>> What distro are you using? Fedora Extras has an mod_auth_pam package
>>>> that
>>>> works out of the box for me with NIS.
>>>>
>>>> Looking at the file listing for that package, it seems that there is a
>>>> file it
>>>> adds:
>>>> /etc/pam.d/httpd
>>>>
>>>> Do you have that file?
>>>>
>>>> Matt
>>>>
>>>> Stephen Adler wrote:
>>>>
>>>>
>>>>> I'm trying to get mod_auth_pam working using NIS and I'm having a
>>>>> bit of
>>>>> a problem.
>>>>> I've downloaded mod_auth_pam, (mod_auth_pam-2.0-1.1.1.tar.gz) and did
>>>>> the required
>>>>> make; make install.
>>>>>
>>>>> I added the lines
>>>>>
>>>>> # loading mod_auth_pam module. SA - Fri Aug 18th, 2006
>>>>> LoadModule auth_pam_module modules/mod_auth_pam.so
>>>>> LoadModule auth_sys_group_module modules/mod_auth_sys_group.so
>>>>>
>>>>> to the /etc/httpd/conf/httpd.conf file
>>>>>
>>>>> and restarted httpd. This worked all ok. I then created a directory
>>>>> /usr/local/www/adler
>>>>> and put an index.html file there. I also created a file
>>>>> localusers.conf
>>>>> with the following
>>>>> text
>>>>> #
>>>>> # Local qmp users web directories
>>>>> #
>>>>>
>>>>> Alias /adler /usr/local/www/adler
>>>>> <Directory /usr/local/www/adler>
>>>>> AuthType Basic
>>>>> AuthName "secure area"
>>>>> # require group adler
>>>>> require user adler
>>>>> </Directory>
>>>>>
>>>>> and put that in /etc/httpd/conf.d directory
>>>>>
>>>>> Finally I surfed to http://localhost/adler and the username password
>>>>> authorization window
>>>>> pops up. I put in my user name and password and the authorization
>>>>> fails.
>>>>> The following
>>>>> text shows up in the /var/log/messages file
>>>>>
>>>>>
>>>>> Aug 18 10:48:50 qmt0 ypserv[19665]: refused connect from
>>>>> 172.17.1.2:34502 to procedure ypproc_match
>>>>> (quantummoleculartech.com,shadow.byname;-1)
>>>>> Aug 18 10:48:50 qmt0 httpd(pam_unix)[19463]: authentication failure;
>>>>> logname= uid=48 euid=48 tty= ruser= rhost= user=adler
>>>>>
>>>>>
>>>>> So, pam authentication is being enabled, but ypserv is refusing the
>>>>> connection. I've removed /var/yp/securenets file and have restarted
>>>>> ypserv.
>>>>>
>>>>> Any ideas?
>>>>>
>>>>> Cheers. Steve.
>>>>> _______________________________________________
>>>>> Discuss mailing list
>>>>> Discuss at blu.org
>>>>> http://olduvai.blu.org/mailman/listinfo/discuss
>>>>>
>>>>
>>
>> _______________________________________________
>> Discuss mailing list
>> Discuss at blu.org
>> http://olduvai.blu.org/mailman/listinfo/discuss
>>
>>
More information about the Discuss
mailing list