[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pamifying a non-root apache?




A few months ago I adjusted the already available mod_auth_pam for
Apache so that I could tell it a different pam type per .htaccess or
<directory> selection.

Since then we have been using it on a tightly closed down server that
gives users access to various stuff with their real (shadow) password.
The server runs as root. 

That was before pwdb came with pwdb_chkpwd.

So that came along and I got all excited about being able to run
apache with mod_auth_pam but then remember/realized that pwdb_chkpwd
checks the password of the real UID of the process. A very good thing
for almost every case but in this one a bit of a bummer.

So my question is: Given a situation where one really does want to do
shadow based authentication from processes not running as root nor as
the user being authenticated, and use PAM, what does one do?

The only thing I've thought of so far is to write a new apache module
(or find an existing one) that provides username, password, and pam
service name to a setuid pamified helper binary that will take all that
info and do a pam_start, pam_authenticate, and pam_end and return success
or failure.

What I haven't thought of is the best way to pass the data and the
probably quite large security implications of doing something like
this.

What you guys think?

The basic goal here is to have a fully unified authentication scheme
for customers who never have to log in to a shell to do anything and
do most things from web pages. I suppose the other alternative is to
not use .htaccess at all and have all the service web pages
authenticate themselves as part of the input. 

..........................
Chris Dent........SysAdmin
...........Kiva Networking



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []