BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

mod_auth_pam

Subject: mod_auth_pam
From: me at mattgillen.net (Matthew Gillen)
Date: Fri, 18 Aug 2006 11:36:17 -0400
In-reply-to: <44E5DBA6.6030507@stephenadler.com>
References: <44E5D3B1.8060508@stephenadler.com> <44E5D772.1080700@mattgillen.net> <44E5D911.6080407@stephenadler.com> <44E5D9A3.2010201@mattgillen.net> <44E5DBA6.6030507@stephenadler.com>

I don't think that's how PAM authentication works.  The httpd daemon should
not be making calls directly to NIS.  The local NIS client (ypbind) should be
doing that on behalf of anything that uses PAM as a backend.  (check for
yourself: from your log message below, the port that was refused was 34502;
what does 'rpcinfo -p' return on your webserver machine?  Is 34502 in that list?)

I don't have any better ideas if changing /etc/pam.d/httpd didn't work, but I
don't think the problem has to do with httpd->ypserver interaction.  More
likely it's ypbind->ypserver or httpd->ypbind.

Matt

Stephen Adler wrote:
> I think its coming down to the fact that httpd is on a port which is
> greater than 1024 and there is something in ypserv.conf about
> restricting getting shadow.byname to high port number requests.
> 
> snipit from /etc/ypserv.conf
> # Not everybody should see the shadow passwords, not secure, since
> # under MSDOG everbody is root and can access ports < 1024 !!!
> *                          : *       : shadow.byname    : port
> *                          : *       : passwd.adjunct.byname : port
> 
> I need to do more research on ypserv.conf...
> 
> Matthew Gillen wrote:
>> It doesn't seem like this should make a difference, but here's what
>> mine looks
>> like:
>> $ cat /etc/pam.d/httpd
>> #%PAM-1.0
>> auth       include      system-auth
>> account    include      system-auth
>> # Comment out the previous account line and uncomment the following
>> line if
>> # you wish to allow logins that don't have a system account
>> #account    required     pam_permit.so
>>
>>
>> Stephen Adler wrote:
>>  
>>> I'm running red hat enterprise linux 4.
>>>
>>>
>>> [root at qmt0 init.d]# cat /etc/pam.d/httpd
>>> #%PAM-1.0
>>> auth       required     /lib/security/pam_unix.so
>>> account    required     /lib/security/pam_unix.so
>>>
>>> it is there....
>>>
>>> Matthew Gillen wrote:
>>>    
>>>> What distro are you using?  Fedora Extras has an mod_auth_pam package
>>>> that
>>>> works out of the box for me with NIS.
>>>>
>>>> Looking at the file listing for that package, it seems that there is a
>>>> file it
>>>> adds:
>>>>  /etc/pam.d/httpd
>>>>
>>>> Do you have that file?
>>>>
>>>> Matt
>>>>
>>>> Stephen Adler wrote:
>>>>  
>>>>      
>>>>> I'm trying to get mod_auth_pam working using NIS and I'm having a
>>>>> bit of
>>>>> a problem.
>>>>> I've downloaded mod_auth_pam, (mod_auth_pam-2.0-1.1.1.tar.gz) and did
>>>>> the required
>>>>> make; make install.
>>>>>
>>>>> I added the lines
>>>>>
>>>>> # loading mod_auth_pam module. SA - Fri Aug 18th, 2006
>>>>> LoadModule auth_pam_module modules/mod_auth_pam.so
>>>>> LoadModule auth_sys_group_module modules/mod_auth_sys_group.so
>>>>>
>>>>> to the /etc/httpd/conf/httpd.conf file
>>>>>
>>>>> and restarted httpd. This worked all ok. I then created a directory
>>>>> /usr/local/www/adler
>>>>> and put an index.html file there. I also created a file
>>>>> localusers.conf
>>>>> with the following
>>>>> text
>>>>> #
>>>>> # Local qmp users web directories
>>>>> #
>>>>>
>>>>> Alias /adler /usr/local/www/adler
>>>>> <Directory /usr/local/www/adler>
>>>>>  AuthType Basic
>>>>>  AuthName "secure area"
>>>>> #  require group adler
>>>>>  require user adler
>>>>> </Directory>
>>>>>
>>>>> and put that in /etc/httpd/conf.d directory
>>>>>
>>>>> Finally I surfed to http://localhost/adler and the username password
>>>>> authorization window
>>>>> pops up. I put in my user name and password and the authorization
>>>>> fails.
>>>>> The following
>>>>> text shows up in the /var/log/messages file
>>>>>
>>>>>
>>>>> Aug 18 10:48:50 qmt0 ypserv[19665]: refused connect from
>>>>> 172.17.1.2:34502 to procedure ypproc_match
>>>>> (quantummoleculartech.com,shadow.byname;-1)
>>>>> Aug 18 10:48:50 qmt0 httpd(pam_unix)[19463]: authentication failure;
>>>>> logname= uid=48 euid=48 tty= ruser= rhost=  user=adler
>>>>>
>>>>>
>>>>> So, pam authentication is being enabled, but ypserv is refusing the
>>>>> connection. I've removed /var/yp/securenets file and have restarted
>>>>> ypserv.
>>>>>
>>>>> Any ideas?
>>>>>
>>>>> Cheers. Steve.
>>>>> _______________________________________________
>>>>> Discuss mailing list
>>>>> Discuss at blu.org
>>>>> http://olduvai.blu.org/mailman/listinfo/discuss
>>>>>             
>>>>         
>>
>> _______________________________________________
>> Discuss mailing list
>> Discuss at blu.org
>> http://olduvai.blu.org/mailman/listinfo/discuss
>>
>>

Follow-Ups:
- mod_auth_pam
  - From: adler at stephenadler.com (Stephen Adler)

References:
- mod_auth_pam
  - From: adler at stephenadler.com (Stephen Adler)
- mod_auth_pam
  - From: me at mattgillen.net (Matthew Gillen)
- mod_auth_pam
  - From: adler at stephenadler.com (Stephen Adler)
- mod_auth_pam
  - From: me at mattgillen.net (Matthew Gillen)
- mod_auth_pam
  - From: adler at stephenadler.com (Stephen Adler)

Prev by Date: mod_auth_pam
Next by Date: mod_auth_pam
Previous by thread: mod_auth_pam
Next by thread: mod_auth_pam
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org