Closed return42 closed 4 years ago
I'm not familiar with the archlinux system-login
PAM setup. But I wonder if it does anything else than checking the password against /etc/shadow
. And assuming Apache HTTP Server does not run as root on archlinux, the process does not have permissions to read that file.
On other systems, to authenticate local users from non-root process, SSSD can be used, together with pam_sss.so
. Is there a chance of using SSSD on archlinux?
Thanks for fast feedback!
I'm not familiar with the archlinux system-login PAM setup.
auth required pam_tally2.so onerr=succeed file=/var/log/tallylog
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth
account required pam_tally2.so
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_loginuid.so
session optional pam_keyinit.so force revoke
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet
session optional pam_systemd.so
session required pam_env.so
But I wonder if it does anything else than checking the password against /etc/shadow
Does it? .. I don't know (sorry I'm really a noob in such subjects). The logins I want to use are listed in the /etc/passwd, this file is readable by "others". But I a can't assess if it is a problem (for PAM modules) when apache not runs as root (I use the normal "http" user for the apache service).
On other systems, to authenticate local users from non-root process, SSSD can be used,
I haven't set up a SSSD so far .. but I guess it is much more I need (I want) .. I was looking for a "simple" solution for my really simple scenario (using ssh login for HTTP also) and thought mod_authnx_pam is the choice .. Do you have any idea what else I could try? / thanks!
Strange, I changed apach conf to be invalid:
...
<Location /closed-share>
AuthType Basic
AuthName "www-loginxxxx"
AuthBasicProvider PAM
AuthPAMService www-loginxxx
Require valid-user
Options +Indexes +FollowSymLinks
</Location>
But the log message is the same:
[authnz_pam:warn] authentication failed for user markus: Authentication failure
I guess there is something complete wrong with my installation?
update:I looked at the sources, it seems there are no causality tests .. the message is typical for the most kind of fails.
But I wonder if it does anything else than checking the password against /etc/shadow
Does it? .. I don't know (sorry I'm really a noob in such subjects).
I phrased it wrong. Of course there are other actions taken in the PAM stack but ultimately the hashed password is stored in /etc/shadow
so against that the password needs to be verified. What I mean was that it's unlikely that the PAM stack would be out of box configured to spawn a set-uid binary which would do the check, or something like that.
The logins I want to use are listed in the /etc/passwd, this file is readable by "others". But I a can't assess if it is a problem (for PAM modules) when apache not runs as root (I use the normal "http" user for the apache service).
Login names are in /etc/passwd
. But passwords?
You should dig into the system-auth
to see how things are configured.
On Fedora, pam_unix.so
(not enabled by any PAM auth configuration by default) can use helper binary unix_chkpwd
to check the passwords in /etc/shadow
. Look at man pages to see if something similar is available on archlinux. If there is, simply using
auth required pam_unix.so
should enable the password checking even for unprivileged users.
To test if the approach works at all, before attempting to configure Apache, try
pamtester www-login markus authenticate
as non-root user. That should give the indication of the feasibility of the approach.
Thanks a lot for your hints! ... I tested both PAM configurations, the short one you suggested and the www-login from mine which was copied from the system-local-login.
Both configuration do work with pamtester .. when I run pamtest with my "markus" account (which is in the sudoer)
[markus@foo]$ pamtester www-login markus authenticate
Password:
pamtester: successfully authenticated
The apache runs with the 'http' system account, so I tested this also:
[markus@foo]$ sudo -H -u http bash
[http@foo]$ /usr/sbin/pamtester www-login markus authenticate
Password:
pamtester: Authentication failure
The cause apparently lies in the http account. I have to take a closer look at that. If I find the cause I'll be back.
update: on Ubuntu the pamtest works when the caller is www-data
(which is the system account used by apache on debian/ubuntu) .. but I can't say what the difference is compared to archlinux .. on ubuntu there is a shadow group with read access to the /etc/shadow file.. can it possibly be related to this? ... what are the PAM executables when I use pam_unix.so .. may they have a set-group-ID bit?
I'm still fighting with on archlinux / in the meantime I got pamtest working (even for the service user 'http'):
groupadd --system shadow
chgrp shadow /etc/gshadow
chmod g+r /etc/gshadow
chgrp shadow /etc/shadow
chmod g+r /etc/shadow
# set-group-ID bit
chgrp shadow /sbin/unix_chkpwd
chmod 02755 /sbin/unix_chkpwd
if [[ -e /sbin/pam_extrausers_chkpwd ]]; then
chgrp shadow /sbin/pam_extrausers_chkpwd
chmod 02755 /sbin/pam_extrausers_chkpwd
fi
But now I have an issue when mod_auth_pam is the process / If anyone is interested, I have created a small lxc suite in which I test all of it: https://github.com/return42/lxc-suite#mod-authnz-pam-archlinux
You shouldn't play with /etc/shadow
permissions and deviate from the setup that the OS provides out of box. Chances are you are creating path for security issue down the road. Please consult with the archlinux folks about the expected PAM setup and behaviour.
You shouldn't play with /etc/shadow permissions
Thanks for your hint / Debian has a official libapache2-mod-authnz-pam package, archlinux does not have official packages for mod_authnz_pam.
Setting /etc/shadow permissions (and set-group-ID bit) is how debian solves the password checking even for unprivileged users. Archlinux does not have a concept in PAM for "unprivileged users".
I'm a noob in PAM (and apache?). I have a small host with a handful of accounts. User can login via ssh. Now I want to use these normal user accounts (and passwords) in HTTP Basic auth. In the past I used AuthExternal (or similar) but today I think mod_authnz_pam is more what I want, so I give it a try .. but at some point I struggle. Here is what I have done.
On archlinux I build the package from https://github.com/return42/mod_authnz_pam and installed the module .. so far, so good.
Now I set up a configuration:
In
/etc/pam.d/www-login
I copied what I found in the/etc/pam.d/system-local-login
Now I open https://example.org/closed-share and the dialog from basic auth pops up. I enter correct name and password, but my login will be rejected. I don't know if it helps, but here is what I see in the apache error log ..
Does anyone have a clue where my fail is? / thanks!