1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
Overview
The PAM authentication module implements Basic authentication on top
of the [9]Pluggable Authentication Module library. Thereby it supports
standard unix passwd, shadow, NIS, SMB auth and radius (->
[10]complete list of modules) authentication transparently and easily
interchangeable, wherever the HTTP protocol allows it.
mod_auth_pam enjoys quite widespread usage now, far more people seem
to use than I initially thought, and its not only used with Linux, but
also with Solaris. The installation is quite straightforward, if you
are familiar with the Apache module concept. See below for detailed
installation instructions. Support with installation (and
configuration) can be had from me, [11]Ingo Ltkebohle. General Apache
and/or PAM questions will be ignored, though, please see the
appropriate mailing-lists (for PAM, see above) or newsgroups
([12]comp.infosystems.www.servers) for that.
Mailing List
There is a mailing-list for mod_auth_pam, to which I send mail when
new releases are made or other important changes appear. I encourage
you to subscribe to this list because new releases might be made for
security reasons and I have no other means of reaching the users of my
module. The volume is really low, one message a month or even less.
To subscribe, send an empty message to
[15]ingo-pam-subscribe@blank.pages.de.
To remove yourself from the list, you have to make sure to use the
same e-mail address as the one you subscribed with. Then, send mail to
ingo-pam-unsubscribe@blank.pages.de.
Configuration
Apache configuration
Because there is much confusion about this, let me state one thing:
As soon as mod_auth_pam is compiled into the server (as outlined
above), it is automatically used for all basic authentication!
Therefore, you use the normal directives to configure mod_auth_pam. An
example .htaccess might look like
AuthType Basic
AuthName "secure area"
require group staff
require user webmaster
which would result in the protected directory being accessible only by
members of the "staff" group and by the user "webmaster". For more
information, see [18]AuthType, [19]AuthName and [20]require.
Configuration Directives
Because a server might contain several authentication modules,
mod_auth_pam includes directives to improve interaction with other
authentication modules.
AuthPAM_Enabled
Syntax: AuthPAM_Enabled on or off
Default: AuthPAM_Enabled on
Context: directory, .htaccess
This directive turns mod_auth_pam on or off. If turned off, the
server will behave as if mod_auth_pam is not there.
AuthPAM_FallThrough
Syntax: AuthPAM_FallThrough on or off
Default: AuthPAM_FallThrough off
Context: directory, .htaccess
Access policy if a username is not found. This directive is
usefull if multiple authentication modules are used. In case a
given username is not found by mod_auth_pam, normal behaviour
is to directly return an error to the user, thus bypassing
other authentication modules. Switching AuthPAM_Fallthrough on
will make Apache ask other authentication modules if
mod_auth_pam can't find the user.
PAM service setup
You have to make the "httpd" service known to your systems PAM
library. There are two different configuration schemes: 1. pam.conf,
used with most older versions of pam and 2. /etc/pam.d/, used by, for
example, RedHat 4.2 and above.
1. pam.conf
Add the following lines at the end of /etc/pam.conf
httpd auth required pam_unix_auth.so
httpd account required pam_unix_account.so
httpd password required pam_unix_passwd.so
2. /etc/pam.d/ (prefered method)
Create a new file, named /etc/pam.d/httpd
Put the following lines in /etc/pam.d/httpd
auth required pam_unix_auth.so
account required pam_unix_account.so
password required pam_unix_passwd.so
Frequently Asked Questions
I want to use other authentication modules, how do I turn mod_auth_pam
off for one directory?
Use
AuthPAM_Enabled off
in your .htaccess
I configured mod_auth_pam in the .htaccess as shown above, but Apache
doesn't ask for username/password. Why?
Most likely, per-directory authorization configuration is
disabled. Use
AllowOverride AuthConfig
in your access.conf
I get lots of "undefined references" when compiling Apache with your
module, why?
You are using Apache 1.3 and an old version of mod_auth_pam.c.
Get v0.7 from the [22]downloadables section.
I get "500 server error" instead of a password prompt when trying to
access a password protected page. Why?
You are probably using an incorrect .htaccess configuration.
Please check your servers error_log for details.
I get "500 server error" after entering the password for a password
protected page
The username you entered is probably not in the system
database. In that case, mod_auth_pam falls through to mod_auth
and mod_auth needs more configuration than mod_auth_pam.
Solution: Either disable fall-through or configure AuthUserFile
and AuthGroupFile for mod_auth
Does mod_auth_pam work with shadow passwords?
Yes, but you have to make some changes to the shadow password
file which are not suggested since they weaken your systems
security.
Copyright 1997,1998,1999 by [30]Ingo Ltkebohle
|
