Project

General

Profile

[Solved] Pam auth module - howto

Added by sudarski over 2 years ago

Hello,

I'm trying to configure lighttp with PAM auth using the mod_authn_pam and would really appretate some instructions (like the ones for LDAP, file etc) Are they available? Could you point me to them?

Thank you very much, in advance.


Replies (9)

RE: Pam auth module - howto - Added by gstrauss over 2 years ago

What have you tried? You will not find instructions how to configure PAM here, just how to configure lighttpd to use PAM.

There are no required options for lighttpd mod_authn_pam directive auth.backend.pam.opts. The default service name used by lighttpd is "http" (so your PAM config should have PAM config in a file named something like /etc/pam.d/http) You can specify a different PAM service name with auth.backend.pam.opts = ("service" => "my-PAM-service-name")

RE: Pam auth module - howto - Added by sudarski over 2 years ago

Hello gstrauss,

Thank you very much for the feedback.

Unfortunately, I already tried the exact configuration that you suggested and I'm still having issues authenticating using this module. (I did not know how to change the service name, maybe I can try to configure a different service name in PAM, but I doubt that will help me.)

Here is a snippet from my conf file: ====
...
server.modules += ("mod_authn_pam")
auth.backend = "pam"
auth.require = ( "/" =>
(
"method" => "basic",
"realm" => "Password protected area",
"require" => "valid-user"
)
)
... ====
And here is my PAM service config (/etc/pam.d/http), it is very simple: ====
/etc/pam.d/http ====

And this is what I get in my lighttp error log: ====
...
2019-02-09 12:14:15: (mod_authn_pam.c.160) pam: Authentication failure
2019-02-09 12:14:15: (mod_auth.c.517) password doesn't match for / username: user2, IP: 10.255.0.6
.... ====

I will try a couple of more configuration modification, maybe that will help. Possibly I should play around with adding /etc/shadow to the group that lighttpd user belong to, or something.

Thank you very much for your help!

RE: Pam auth module - howto - Added by gstrauss over 2 years ago

Repeating what was posted above:

You will not find instructions how to configure PAM here, just how to configure lighttpd to use PAM.

RE: Pam auth module - howto - Added by sudarski over 2 years ago

Hello gstrauss,

Yes. I'm aware of it. Thank you very much for your help. I know now that my lighttpd side conf is OK.

When I make it work I'll share my findings here. It might be useful to someone else.

Thanks!

RE: [Solved] Pam auth module - howto - Added by mckaygerhard about 1 month ago

2 years now and we dont have a how to area for.. only the issued template and no user cases to follow, any one can share their how to detailed?

RE: [Solved] Pam auth module - howto - Added by gstrauss about 1 month ago

2 years now and we dont have a how to area for.. only the issued template and no user cases to follow, any one can share their how to detailed?

Have you read the lighttpd documentation? If you have, you must have missed the example mod_authn_pam


Exposing access to your system password database via an externally-facing server (e.g. a web server) is generally discouraged, but specific use cases do exist.

People looking to use PAM authentication already know the reasons why they are looking to use PAM authentication, rather than the opposite way around of people evaluating if this neat shiny thing could be useful to them. Put another way, if you do not have a requirement to use PAM authentication with lighttpd, you probably should not try to use PAM authentication with lighttpd. This is not a question of "should I use PAM?", but rather "I need to use PAM". If you do not need to use PAM with lighttpd, then you probably should not use lighttpd mod_authn_pam. If your next question is "but how will I know?", then the answer is that you probably should not use lighttpd mod_authn_pam. If you need to use PAM, then you already know that you need to use PAM.

If you have no idea how to configure PAM, you are likely to seriously reduce the security of your system.
If you have not attempted man -k pam and to configure /etc/pam.d/http, then you probably have no idea how to configure PAM.

PAM is an initialism for Pluggable Authentication Modules
Different OS distros may configure PAM differently.
Different admins may configure their systems differently.
There is no one-size-fits-all PAM config because PAM is intentionally flexible. That is PAM's raison d'être.

IFF your system uses pam_sss, then man pam_sss is suggested.

If you are writing documentation for others, and you do not have a good idea how to secure your system using PAM, then you are doing a disservice to your readers by attempting to give them something to cut-n-paste, which may be insecure for their system, especially if you have made little attempt to communicate your (low) level of knowledge regarding PAM, and your (low) level of knowledge how to secure a system using PAM accessed via a web service.

My advice is: Do not use lighttpd mod_authn_pam unless you are competent at configuring PAM, and understand well the limitations and risks of providing access to PAM via a web service.
Security hint: you can configure PAM to use different databases for different services. See mod_authn_pam. Providing access to PAM via a web service and configuring "/etc/pam.d/http" to use your system password database is generally discouraged.

Since you have whined and complained and need to be spoon-fed the following, you probably should not be using lighttpd mod_authn_pam, and you should probably not be writing documentation for others to do so:

Using a search engine to look for "/etc/pam.d/http", you can find a different 2-line PAM config in one of the first links: https://libretime.org/docs/freeipa
YMMV. Your system may be at risk. Your system security is your own responsibility.

RE: [Solved] Pam auth module - howto - Added by mckaygerhard about 1 month ago

yes, you have right BUT.. this pam case is for internal use case .. sometimes we need special cases for special use cases.. not always all is security.. somethings people need "FAST" solution for a while and then discard.. as always in linux .. there's no easy way just complex one.. and managers get windos solution .. making a standard by defect

security today is an excuse to keep up to date software so then enterprices can forced a dependence of .. i not have break thinks with crackers in years.. cos i not enabled any distributed thing

i will provide a how to when make it work for centos (yes death centos XD ) and devuan (debian without systemd) in the how to related and people can take that and improved the so technicall documentation..

i sucessfully get work auth plain, htpasswd, htdigest, noted that for dbi i cannot use just the user named .. i am forced to to complext mix of the realm.. so "basic" is not so "basic" as docummentation said

thanks for help i try to make some how tos

RE: [Solved] Pam auth module - howto - Added by gstrauss about 1 month ago

noted that for dbi i cannot use just the user named .. i am forced to to complext mix of the realm.. so "basic" is not so "basic" as docummentation said

This is documented and the reasons why are explained in mod_authn_dbi

RE: [Solved] Pam auth module - howto - Added by gstrauss about 1 month ago

yes, you have right BUT.. this pam case is for internal use case .. sometimes we need special cases for special use cases.. not always all is security.. somethings people need "FAST" solution for a while and then discard

Your opinions on the topic of security should be ignored by anyone reading this site. On this site, you have not demonstrated mastery or even credibility when discussing security.

You run out-of-date crypto software (7+ years old in #3104) and you prioritize "FAST" solution before security. Based on what you have posted on this site, you are not qualified to give good advice to others how they might secure their applications or systems.

You have not demonstrated a solid understanding of good security practices and you have not established any credibility. Please do not write documentation about lighttpd mod_auth.

    (1-9/9)