Re: PAM authentication on WWW page

From: Juha Laiho (Juha.Laiho_at_iki.fi)
Date: 08/08/03 

Date: Fri, 08 Aug 2003 17:07:00 GMT

slawu@sus.univ.szczecin.pl (=?ISO-8859-1?Q?S=B3awomir_Kolasi=F1ski?=) said:
> I want to write a login web page using Apache and perl. I want it to
>authorize users using PAM. I wrote a script using Authen::PAM perl package
>and it works correctly when I launch it from a terminal.

Running as which user? Cheking password for which user?
If I recall correctly, the regular methods for checking the password
(against /etc/shadow file), are restricted so that for any account you're
allowed to check the password for the account itself - but for no others.
Only root is allowed to check any password.

>When I run the script from my WWW browser it refuses to authenticate
>anyone. I use service name "login" and my Apache is configured to run
>scripts as user nobody (I guess it has something to do with the case).

Try testing from the terminal as user nobody.

>How can I make PAM authenticate users even when my script is run as nobody?

As I recall, can't be made - and this is a shame.

>All i really want is to use my system's user database so I don't have to
>put users in pgsql database and synchronize it each time someone adds a
>new user.

How about automating that procedure (i.e. create a small script to use
for adding users, and make that so that it also creates the password
entry in pgsql)? A "real" solution would be to go to some true
authentication service method (LDAP/Kerberos), but that might be overkill. 

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Relevant Pages

  • Re: IIS permissions + scripts etc
    ... How does one set different IUSR accounts for different site's? ... IIS (or scripts) does not by-pass the file ... >> This would be permitted as the folder is within their account root. ...
    (microsoft.public.inetserver.iis)
  • Best way to differentiate accounts with one set of scripts?
    ... I'm creating a series of Perl scripts that make up an entire web site. ... I don't want to make copies of the scripts for each hosted account, ... I thought about requiring users to "log in" first, and creating a cookie ...
    (comp.lang.perl.misc)
  • Re: Best way to differentiate accounts with one set of scripts?
    ... > I'm creating a series of Perl scripts that make up an entire web site. ... > that contains their account name. ... First you need to make the policy decision of how to authenticate users. ...
    (comp.lang.perl.misc)
  • RE: always asking for Authentication
    ... If you're getting prompted when trying to run scripts... ... Newsgroup Support ... account name for newsgroup participation only." ... This posting is provided "AS IS" with no warranties, and confers no rights. ...
    (microsoft.public.inetserver.iis)
  • Re: Password less rsa authentication with user nobody
    ... ]that account ... ], instead for making a new user account, just for running a scp from a ... ]But do you know if its possibly to do it with user nobody ?? ... ]>]rsa authentication with a user there has no home directory? ...
    (comp.security.ssh)