mod_auth_pam

Stephen Adler adler at stephenadler.com
Fri Aug 18 13:01:33 EDT 2006 

Success... sort of....

I finally got it to work. Actually it was all documented, (how to set it 
up,) and it was just a question of RTFM'ing.

The mod_auth_pam pretty much worked right out of the box. (i.e. it was 
never the problem
of my inability to authenticate.) The httpd configureation file (and 
this is for redhat enterprise linux 4) looks like

[root at qmt0 init.d]# cat /etc/pam.d/httpd
#%PAM-1.0
auth       required     /lib/security/pam_unix.so
account    required     /lib/security/pam_unix.so

So, the two things I had to do was fix ypserv to allow shadow.name to be 
access from a port greater than 1024 by modifying /etc/ypserf.conf, and 
change the group on the /etc/shadow to apache and chmod it to 440. 
(ouch...) I sort blew a hole in the security of my system... but at 
least now I can authenticate. :)

Thanks to everyone for their help!

Cheers. Steve.

Matthew Gillen wrote:
> Stephen Adler wrote:
>   
>> I tried the system-auth, but the httpd mod_auth_pam could not find the
>> appropriate pam modules. :(
>>
>> [root at qmt0 pam.d]# more httpd
>> #%PAM-1.0
>>
>> auth       required     /lib/security/pam_unix.so
>> account    required     /lib/security/pam_unix.so
>>
>> #auth       include      system-auth
>> #account    include      system-auth
>>
>> the commented out lines were what I tried...
>>     
>
> For what it's worth, here's the contents of my system-auth:
> $ cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        required      pam_deny.so
>
> account     required      pam_unix.so
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass
> use_authtok
> password    required      pam_deny.so
>
> session     required      pam_limits.so
> session     required      pam_unix.so
>
> ------------------------
>
> HTH,
> Matt
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://olduvai.blu.org/mailman/listinfo/discuss
>
>

More information about the Discuss mailing list