I need help with authentication PAM

karlag · 08-15-2008, 03:19 PM

Hey guys im newbie in linux and ive been working with squid and everything works perfect except for the pam authentication even i tried ncsa and works perfect.. My problem with pam is that when the web ask me for an user and a password i put the one in the system and it doesnt work, the web ask me again for the user and the password... I read in this forum that it was something about the deamon squid.. but like i said im a newbie in linux :-?

here's my /etc/squid/squid.conf:

http_port 3128

visible_hostname localhost

auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl password proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

http_access allow all password

And in my /etc/pam.d/squid:

auth required pam_unix.so
account required pam_unix.so

Please if someone can help me.. thanks!!

GlennsPref · 08-15-2008, 11:04 PM

Hi, I did a little search on pam and squid and found this page...

(I don't have an entry for pam in my squid.conf file(shruggs sholders))

Quote:

http://www.opensourcehowto.org/how-t...ntication.html

I usually check these pages...

Quote:

http://www.linuxhomenetworking.com/

...

when trouble shooting, beware of versions, as with squid, the new version does a lot of things automatically reducing the config file size.

Both squid and iptables are covered really well here.

I hope you find what you need, Glenn

karlag · 08-16-2008, 10:04 AM

Thanks but those links i already tried... :S

GlennsPref · 08-16-2008, 07:02 PM

OK, I use squid and iptables with out pam auth. (local network is 2 pc's, both mine)

That's all I got, Glenn

GlennsPref · 08-16-2008, 08:30 PM

For comparison sakes,

My /etc/squid/squid.conf

Quote:

http_port 192.168.0.2:3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir diskd /var/spool/squid 6144 16 256
cache_store_log none
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
half_closed_clients off
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 563
acl SSL_ports port 873
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_reply_access allow all
icp_access allow all
visible_hostname GamesBox.GlennsPref.net
append_domain .GlennsPref.net
err_html_text squid@GamesBox.GlennsPref.net
deny_info ERR_CUSTOM_ACCESS_DENIED all
memory_pools off
coredump_dir /var/spool/squid
ie_refresh on

/etc/pam.d/squid

Quote:

#%PAM-1.0
auth include system-auth
auth required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
session required pam_limits.so

/etc/rc.d/init.d/iptables

Quote:

# Atomic IPTables firewall script v1.2
#
# Simple but effective firewall written for
# the Atomic Uber Linux box guide,
# Issue 21, Oct 2002
#
# Updated May 2003 for bandwidth shaping
#
# Ashton Mills
# amills@iinet.com.au

# Environment variables, change these values accordingly

EXT_IF=ppp0
INT_IF=eth0
INT_NET=192.168.0.0/24

ANY=0.0.0.0/0

IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe

#
## You shouldn't need to touch anything below here
#

# Load appropriate iptables modules, others will be loaded dynamically on demand

$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp

# Set proc values for TCP/IP. In order:
#
# Disable IP spoofing attacks
# Ignore broadcast pings
# Block source routing
# Kill redirects
# Set acceptable local port range
# Allow dynamic IP addresses
# Enable forwarding (gateway)

echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward

# Flush everything

$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

#
## --- DEFAULT POLICY --- ##
#

# Drop everything on INPUT and FORWARD chains, accept OUTPUT

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

#
## --- INPUT CHAIN --- ##
#

# Allow access to services on this (the gateway) machine

# SSH
$IPTABLES -A INPUT -p tcp --source 192.168.0.3/32 --dport 22 -j ACCEPT

# FTP
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT

# Bittorrent
$IPTABLES -A INPUT -p tcp --dport 6881:6969 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 6881:6969 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 4444 -j ACCEPT

# Accept all connections on local and internal interfaces

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -j ACCEPT

# Stateful inspection -- Allow packets in from connections already established

$IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop packets from invalid sources (reserved networks and localhost)

$IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP

# Don't log igmp, web or ssl. More noise we don't need to log.

$IPTABLES -A INPUT -p igmp -j DROP
$IPTABLES -A INPUT -p tcp --dport 80 -j DROP
$IPTABLES -A INPUT -p tcp --dport 443 -j DROP

# Log everything else

$IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "|iptables -- "

#
## -- BANDWIDTH SHAPING -- ##
#

#
# EGRESS (upstream)
#

# TOS marked packets (we'll just work with minimise-delay and maximise-throughput)
$IPTABLES -t mangle -A POSTROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 30

# UDP (most games, including all Half Life mods as well as DNS, IM clients and more)
$IPTABLES -t mangle -A POSTROUTING -p udp -j MARK --set-mark 10

# Games that use DirectPlay from DirectX (note UDP traffic already matched above)
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 47624 -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10

# ICMP (ping)
$IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 10

# SSH
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK --set-mark 10

# Web, SSL
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 80 -j MARK --set-mark 20
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 443 -j MARK --set-mark 20

# ACKs
$IPTABLES -t mangle -A POSTROUTING -p tcp -m length --length :64 -j MARK --set-mark 20

#
# No need for catchall for class 30, handled by HTB root qdisc initilisation
#

#
# INGRESS (downstream)
#

# Only prioritise class 10 traffic

# Don't police high priority UDP, game, ping and SSH packets
$IPTABLES -t mangle -A PREROUTING -p udp -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 47624 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 22 -j MARK --set-mark 10

# Catchall, police everything else
$IPTABLES -t mangle -A PREROUTING -m mark --mark 0 -j MARK --set-mark 30

#
# NOTE: It's a good idea -not- to add HTTP to be let through the police filter even
# for browsing as many P2P programs, not to mention your HTTP file downloads, will
# flood the link unpoliced, causing delays with high priority (class 10) packets.
# Shape HTTP going out, but let it be bulk coming in.
#
# Read the note at the end of the atomic.shaper script for more on INGRESS shaping.
#

#
## --- FORWARD CHAIN --- ##
#

# Stateful inspection -- Forward in connections already established

$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state --state ESTABLISHED,RELATED -j ACCEPT

#---------------------------------------------------------------
# Allow outbound DNS queries from the FW and the replies too
#
# - Interface ppp0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# / websites using a single DNS server won't require TCP statements
#
#---------------------------------------------------------------

iptables -A OUTPUT -p udp -o ppp0 --dport 53 --sport 1024:65535 -j ACCEPT

iptables -A INPUT -p udp -i ppp0 --sport 53 --dport 1024:65535 -j ACCEPT

# Forwards for software running on Windows/Linux machines behind the firewall

# Kazaa Lite (change destination IP accordingly)

# $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 1214 -j DNAT --to-dest 192.168.0.2
# $IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 1214 -d 192.168.0.2 -j ACCEPT

# Bittorrent

$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6881:6969 -j DNAT --to-dest 192.168.0.2
$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 6881:6969 -d 192.168.0.2 -j ACCEPT

$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 6881:6969 -j DNAT --to-dest 192.168.0.2
$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 6881:6969 -d 192.168.0.2 -j ACCEPT

$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 4444 -j DNAT --to-dest 192.168.0.2
$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 4444 -d 192.168.0.2 -j ACCEPT

# Forwards for hosting DirectPlay games

# iptables -A FORWARD -i ppp0 -o eth0 -p tcp --dport 47624 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 47624 -j DNAT --to-destination 192.168.0.2:47624
# iptables -A FORWARD -i ppp0 -o eth0 -p tcp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2300:2400 -j DNAT --to-destination 192.168.0.2:2300-2400
# iptables -A FORWARD -i ppp0 -o eth0 -p udp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 2300:2400 -j DNAT --to-destination 192.168.0.2:2300-2400

# Forward out all traffic

$IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT

#
## --- OUTPUT CHAIN --- ##
#

# Follows policy

#
## --- NAT --- ##
#

# Enable masquerade

$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -j MASQUERADE

#
## -- Transparent proxy to Squid --- ##
#

$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128

Hope with that you can get it to work.

Sorry for all the lines, Glenn

karlag · 08-16-2008, 11:08 PM

Thank you thank you than you so much... i will try to do all that.. and i let you know.. but thanks...

GlennsPref · 08-17-2008, 12:03 AM

Quote:

Originally Posted by karlag

Thank you thank you than you so much... i will try to do all that.. and i let you know.. but thanks...

Just compare yours with mine.

Look for the pam and auth lines, I don't have to deal with pam, maybe it's automatic on my set up.

I thought if you could get yours to work without pam, allowing you to work on the system then you could re-setup pam later.

Regarding, "My problem with pam is that when the web ask me for an user and a password i put the one in the system and it doesnt work, the web ask me again for the user and the password"

What "web" is asking for a password?

karlag · 08-18-2008, 08:27 AM

Sorry about my english.. i mean when i open a browser (mozilla) with pam auth.. it ask me about the login and password and i put the one in the system and it ask me again.. its like he doesnt recognize it...

GlennsPref · 08-18-2008, 10:16 AM

This has not happend to me before, so I'm not too sure what the problem is.

Maybe it wants the root password, Have you tried that?

If so, you should be able to change the permissions so the users (/home/(user names)) have execute access.

If it is a web site....

karlag · 08-19-2008, 08:57 AM

Thanks all of you for try to help but i find out what the problem was.. before i used the squid i download and compile the pam (thing that i shouldnt done) because that destroy my auth pam... and i discovery it because i use the pam in another computer and it works perfectly.. i guess that those things happens when youre newbie in linux and you dont know what youre doing... thank you all!!

GlennsPref · 08-19-2008, 07:18 PM

Hi, Thank you for posting a solution to your problem, this may help others.

Thanks and all the best, Glenn