Project

General

Profile

Forums » Support »

[Answered] Lighttpd PAM Authentication Setup Issue for Password Protected Directory 500 Internal Server Error

Added by lighttpd2000 2 days ago

Hello, I am trying to configure a device running Linux VERSION="5.15-kirkstone (kirkstone)" with an internally hosted lighttpd web server to use PAM authentication. lighttpd version is "lighttpd/1.4.66 (ssl) - a light and fast webserver". Have tested in Firefox, Chrome, and Edge web browser.

The problem is that when I setup lighttpd.conf to use PAM auth then accessing files from a directory called /cgi-bin/ through the web browser is not triggering login.

There is a super helpful guide on setting up PAM authentication on Redmine where it references a link to github for defining user/group access but this link is broked]
Redmine page for reference-
https://redmine.lighttpd.net/projects/lighttpd/wiki/mod_auth#pam-mod_authn_pam-since-lighttpd-1451
Link-
https://github.com/linux-pam/linux-pam/Linux-PAM-html/sag-pam_access.html

There is great information on setting up PAM authentication. It is all very easy to follow though after this setup when attempting to access a file in the protected directory through the browser no login prompt is triggered and a 500 Internal Server Error is reported. I have tried to figure out the setup but have gotten stumped.

I have added the http.access.conf file as follows-

# Example /etc/security/http.access.conf

# Allow a single user
+ : webgui : ALL

# Allow members of the "root" group
+ : @root : ALL

# Deny everything else
- : ALL : ALL

The directory cgi-bin must be password protected with PAM.
Previously in lighttpd.conf I specified this cgi-bin directory as requiring auth with secure digest to access via the web browser as shown below-

server.modules              = (...
                               "mod_auth",
                               "mod_authn_file",
                               ...)
auth.backend = "htdigest" 
auth.backend.htdigest.userfile = "/system/v2x/www/.passwd" 
auth.require = ( "/cgi-bin/" =>
    (
        "method" => "digest",
        "realm" => "Authorized users only",
        "require" => "valid-user" 
    )
)

In attempting to use PAM the above code was removed from the lighttpd.conf file and replaced with the code below-

server.modules              = (...
                               "mod_auth",
                               "mod_authn_file",
                               "mod_authn_pam" 
                               ...)
auth.backend = "pam" 
auth.require = (
  "/cgi-bin/" =>
  (
    "method"    => "digest",
    "realm"     => "Authorized users only",
    "require"   => "valid-user" 
  )
)

Notice the lighttpd.conf file for PAM does not specify a file for the auth to check username/password against for the cgi-bin directory and I am unsure how to add this. Username/password should be checked against /etc/shadow using PAM I believe. If the line "auth.backend.htdigest.userfile = "/system/v2x/www/.passwd" is added then authentication seems like it would be done via secure digest not PAM. What edit is needed? Are changes needed in /etc/lighttpd/lighttpd.conf, /etc/pam.d/lighttpd, a separate script completely, or is there a different file that needs editing?
Please share any insight and direction you might have.

Thanks for any advice in advance!
Alexis


Replies (3)

RE: Lighttpd PAM Authentication Setup Issue for Password Protected Directory 500 Internal Server Error - Added by gstrauss 2 days ago

man pam_access

https://web.archive.org/web/20211211222932/http://linux-pam.org/Linux-PAM-html/sag-pam_access.html

Notice the lighttpd.conf file for PAM does not specify a file for the auth to check username/password against

lighttpd configured to use PAM uses PAM, and the PAM config defines what PAM uses (whether files or network)

lighttpd mod_authn_pam PAM supports only HTTP Basic auth ("method" => "basic") since lighttpd generates and manages the nonce for HTTP Digest auth, not PAM.
Using HTTPS is strongly recommended if using HTTP Basic auth.

RE: Lighttpd PAM Authentication Setup Issue for Password Protected Directory 500 Internal Server Error - Added by lighttpd2000 about 8 hours ago

Thank you so much for taking the time to reply!
I have attempted to setup the access files correctly though don't have it all correct yet.

This would be what I think a correct /etc/pam.d/http file would be - (my setup is missing pam_succeed_if.so and pam_access.so modules currently)

  auth      requisite    pam_succeed_if.so uid >= 1000 quiet_success
  auth      required     pam_deny.so

  account   required     pam_unix.so
  account   required     pam_access.so accessfile=/etc/security/http.access.conf
  auth      sufficient   pam_unix.so nodelay try_first_pass

1. Previously, in /etc/lighttpd/lighttpd.conf I setup to password protect the /cgi-bin/ directory with secure digest so when files in the /cgi-bin/ folder were accessed via the web browser with port 5908 login would be requested and confirmed.
When using PAM, would this be achieved by password protecting all browser access by adding in /etc/security/http.access.conf a line like the following?
+:webgui:192.168.1.80:5908

2. PAM is new to me so this may be simple- I really just want to use PAM and need the /cgi-bin/ directory to require login when accessed via the browser. Which PAM modules would be required to achieve this?

Thanks!
Alexis

clipboard-202504181643-43dug.png (13.4 KB) clipboard-202504181643-43dug.png

RE: Lighttpd PAM Authentication Setup Issue for Password Protected Directory 500 Internal Server Error - Added by gstrauss about 6 hours ago

Sharing a directory listing of text by attaching a picture suggests to me that you probably should avoid editing files and might be better served by searching for a tutorial with explicit steps that you can cut-n-paste to follow.

This is a forum for lighttpd, not for PAM, and I am not going to tell you how to configure the security for your system.

For a publicly visible server, using PAM potentially exposes your system accounts to brute-force password attacks through the web server, depending on how you have configured lighttpd.

I really just [...] need the /cgi-bin/ directory to require login when accessed via the browser.

Since you have not demonstrated (here) an understanding of system accounts, please consider using any of the other options lighttpd provides for securing web access to your /cgi-bin/. There are some examples in the mod_auth doc.

At your own risk, you're welcome to use lighttpd mod_authn_pam, but on this site, you won't be spoon fed how to configure PAM.

The lighttpd doc for mod_authn_pam warns:

The pam backend authenticates the user against PAM infrastructure, and requires that lighttpd be run as root. Using mod_authn_pam is not recommended except for special-purpose systems where using PAM is required for integration with the existing primary authentication mechanism for the system, e.g. using PAM which is configured with a RADIUS backend to PAM. In general, the system password database should not be directly used by web services if the user accounts have other privileges or access beyond the intended limited access required by the web service.

    (1-3/3)