Project

General

Profile

Actions

Feature #688

closed

auth via pam

Added by Anonymous almost 18 years ago. Updated over 5 years ago.

Status:
Fixed
Priority:
Normal
Category:
mod_auth
Target version:
ASK QUESTIONS IN Forums:

Description

i miss to auth via pam.
it's very usefull, because one authentification system for all daemons.
i use pam for all services.

-- denis.knauf


Files

lighttpd-02-pam_auth.patch (9.01 KB) lighttpd-02-pam_auth.patch sravas, 2014-08-07 23:52
0002-pam-auth.patch (9.65 KB) 0002-pam-auth.patch sravas, 2018-04-10 13:16
0003-pam-auth.patch (9.72 KB) 0003-pam-auth.patch akschu1, 2018-09-17 19:47

Related issues 1 (0 open1 closed)

Related to Feature #2323: RADIUS support for mod_auth for 1.4.xDuplicate2011-06-17Actions
Actions #1

Updated by Anonymous over 17 years ago

I would also like to see this option, i understand the concerns about running lighttpd as root but why not leave it as a option?

-- Shaun.Reitan <isat> NDCHost.com

Actions #2

Updated by Anonymous about 17 years ago

You shouldn't need to have lighttpd run as root. You could just set the group of /etc/shadow to lighttpd and allow group read. If lighty supported it, I could move a few of my clients across.

-- richard

Actions #3

Updated by Anonymous almost 17 years ago

I would like to see PAM too... lighty's authentication options are a bit lacking at the moment. PAM would open the way to using MySQL, SQLite and every other PAM module out there. This is preventing me migrating an Apache instance over at the moment.

-- David Anderson

Actions #4

Updated by Anonymous over 16 years ago

Count one more for PAM; it would be especially helpful when coordinating small development with Trac and Mercurial-over-SSH.

-- blinks

Actions #5

Updated by darix over 16 years ago

  • Status changed from New to Fixed
  • Resolution set to wontfix

i removed all the pam code and i really dont feel like readding it. i would rather add support for httpauth or dovecot sasl. but not direct usage of pam.

ldap is no option for you?

Actions #6

Updated by Anonymous over 16 years ago

The reason I'd like PAM is mainly just to work with the existing users on my system (that have SSH access). Will the other options allow this?

-- blinks

Actions #7

Updated by darix over 16 years ago

Replying to :

The reason I'd like PAM is mainly just to work with the existing users on my system (that have SSH access). Will the other options allow this?

sure. i can understand that. but the price is too high imho.
even if you give lighttpd read permissions on the file and not run it as root. with a simple hole in a webapplication your shadow file could be retrieved and the whole server would be compromised.

the other options would allow pam auth yes.

Actions #8

Updated by Anonymous over 16 years ago

Replying to darix:

the other options would allow pam auth yes.

That's just fine, then.

Actions #9

Updated by Anonymous about 16 years ago

  • Status changed from Fixed to Need Feedback
  • Resolution deleted (wontfix)

Ok, Reasons for PAM:

  • PAM provides a flexible implementation of many methods to authenticate somebody/something.
  • PAM is NOT a securityhole. You are allowed to you something else then /etc/shadow. But you are allowed to use /etc/shadow, if you want.
  • PAM provides every authentication-method (1), which you can want to implement in lighttpd, but NOW.
  • Use PAM and you can remove some code. It provides everything, you need.

PAM allowes it, doesn't restrict it.

(1) TLS-Auth and something else isn't possible.

-- denis.knauf

Actions #10

Updated by darix about 16 years ago

  • Status changed from Need Feedback to Fixed
  • Resolution set to wontfix

many people will want to use shadow based auth. that requires root permissions. we dont have an authentication helper that runs as root.

to not create false assumptions or get user running their webserver as root, we dropped the feature.

Actions #11

Updated by stbuehler over 15 years ago

  • Status changed from Fixed to Wontfix
Actions #12

Updated by pprkut over 12 years ago

Newer versions of PAM do no longer require pam_unix.so to be run as root, which I guess was the main argument against this feature in lighttpd. Maybe someone could look at it again?

Actions #13

Updated by stbuehler over 12 years ago

  • Description updated (diff)
  • Missing in 1.5.x set to No

How would pam_unix.so work if it can't read /etc/shadow?

Actions #14

Updated by pprkut about 12 years ago

I'm not a PAM expert, but I saw that MariaDB (MySQL fork) recently added a PAM authentication plugin. IMHO a database server has similar constraints about not running as root as a webserver.

In their wiki-page ( http://kb.askmonty.org/en/pam-authentication-plugin ) they have the following note:

if you configure PAM to use pam_unix.so and notice that MariaDB needs to run as a root user to be able to access /etc/shadow — try to upgrade your PAM installation. Newer versions of PAM do not require pam_unix.so to be run as root.

Actions #15

Updated by stbuehler about 12 years ago

You would either need a daemon running as root providing access (but then it wouldn't be pam_unix anymore), or you need a suid binary. There is only a suid binary for checking the password for your own user (for things like locking the screen).

Providing a simple way of checking passwords for local users would be STUPID (preventing that is the point of shadow after all).

Actions #16

Updated by sravas over 9 years ago

If there is anybody interested, here is my patch against 1.4.35 implementing simple PAM authentification.

Actions #17

Updated by sravas almost 6 years ago

The same patch updated for 1.4.45.

Actions #18

Updated by yurylankovskiy almost 6 years ago

sravas wrote:

The same patch updated for 1.4.45.

Hello sravas, can you please share some information with me on how you've integrated the patch. I'm running 1.4.48 version of lighttpd, but it should not matter.

1. How did you compile --with-pam? Any dependencies included?
2. After compilation, you've moved mod_authn_pam.so to libraries folder and included "mod_authn_pam" in the lighttpd config?

The issue I'm having, is I'm able to compile with just the --with-pam flag, after I can see that lighttpd has pam included in the list of modules. Lighttpd restarts successfully, however, I get out of memory issues if I include the "mod_authn_pam".

I would highly appreciate, if you share some of your knowledge.

Also, would be nice to see a sample of your pam configuration from lighttpd.config

Thanks!

Actions #19

Updated by akschu1 over 5 years ago

I have updated the code to work with 1.4.50 and I have it working with nss-pam-ldapd which solves a number of problems for me:

1. The current mod_authn_ldap module doesn't tls encrypt the bind-dn user. See #2909
2. It's easier to have the ldap search config in one place instead of multiple places.
3. The config is much simpler.
4. The nss-pam_ldapd config allows me to define multiple ldap servers for redundancy.

Here is the config to make it work:

auth.backend = "pam"
auth.backend.pam.service-name = "lighttpd"

Actions #20

Updated by gstrauss over 5 years ago

  • Status changed from Wontfix to Patch Pending
  • Target version set to 1.4.51

Thanks @akschu1. I have similar code in my tree. As you found, it is straightforward to create a simple, blocking request to PAM. Before releasing mod_authn_pam, I've wanted to implement a caching layer for all mod_auth modules (see #2805), since all are blocking. ...I'll reconsider releasing mod_authn_pam sooner since it fills some needs.

Actions #21

Updated by gstrauss over 5 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
Actions #22

Updated by gstrauss about 5 years ago

  • Related to Feature #2323: RADIUS support for mod_auth for 1.4.x added
Actions

Also available in: Atom