Apache mod_auth_pam patch to allow non local users to auth

Mooney, Ryan ryan.mooney at pnl.gov
Mon Jun 14 21:43:06 UTC 2004


>  Les Mikesell queried:
> How is this different from using 
> account    required     pam_permit.so
> in /etc/pam.d/httpd?  Or is the point to make it
> optional per authentication directive to httpd?

Yes, we had some things we actually cared local accounts, 
and other places it wasn't really an option (potentially 
on the same machine).  This seemed like the least evil
solution (other than running multiple httpd's with different
pam module names, which while possible didn't seem any 
better).

It might be worth noting that for some large percent of the
folks the above is probably actually the better/correct 
solution...

> -----Original Message-----
> From: Les Mikesell [mailto:les at futuresource.com] 
> Sent: Monday, June 14, 2004 12:07 PM
> To: Pluggable Authentication Modules
> Subject: Re: Apache mod_auth_pam patch to allow non local 
> users to auth
> 
> 
> On Mon, 2004-06-14 at 11:54, Mooney, Ryan wrote:
> 
> > Attached is a patch to mod_auth_pam.1.1.1 for apache 1.3.X to 
> > optionally allow users who are not in the local password file to be 
> > authenticated.  The default behavior is the same as the current 
> > version, however if AuthPAM_NoLocalUser is set to ON, it 
> bypasses the 
> > local getpwent check and attempts to just use the username 
> as passed 
> > in by apache.
> > 
> > This is useful for when you want to allow groups, or other 
> valid user 
> > lists, and are using a remote authentication mechanism 
> (like kerberos, 
> > ldap or securid) but do not wish to add real local accounts.  This 
> > option has the side affect that if all you require is "valid-user" 
> > then anyone who can authenticate via PAM by any means has access 
> > (which may not be what you desire).
> > 
> > 
> ______________________________________________________________________
> 
> ---
>  Les Mikesell
>    les at futuresource.com
> 
> 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com https://www.redhat.com/mailman/listinfo/pam-list
> 





More information about the Pam-list mailing list