LinuxQuestions.org
Visit Jeremy's Blog.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
Reload this Page How to debug apache + pam + pam_uinix
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-08-2011, 10:11 AM   #1
Couling
Member
 
Registered: Oct 2007
Posts: 30

Rep: Reputation: 15
How to debug apache + pam + pam_uinix

Hi All

I'm trying to get a section of my intranet to authenticate with system passwords through pam. I'm reasonably experienced at working with apache configuration but very new to PAM.

The problem I'm facing is that it's just not letting me login and I'm struggling to find any helpful debug output.

Any hints on what I may have donw wrong or how I can get more helpful debug would be great.

Apache error log for the vhost lists:
Code:
[Thu Sep 08 14:20:52 2011] [error] [client 127.0.0.1] PAM: user 'phil' - not authenticated: Authentication failure
/var/log/auth lists:
Code:
Sep  8 14:20:50 zbox unix_chkpwd[4739]: check pass; user unknown
Sep  8 14:20:50 zbox unix_chkpwd[4739]: password check failed for user (phil)
Sep  8 14:20:50 zbox apache2: pam_unix(apache2:auth): authentication failure; logname= uid=33 euid=33 tty= ruser= rhost=127.0.0.1  user=phil
/etc/pam.d/apache2 is configured as
Code:
auth      required  pam_securetty.so
auth      required  pam_unix.so shadow audit
auth      required  pam_nologin.so
account   required  pam_unix.so
Relavent apache config for the vhost :
Code:
    <Directory / >
        AuthPAM_Enabled on
        AuthType Basic
        AuthName "svn.pedal.me.uk"
    </Directory>

...


    <Directory /path/to/content >
        Options Indexes FollowSymLinks
        AllowOverride None

        Order allow,deny
        Allow from all

        require user phil
    </Directory>
 
Old 09-11-2011, 01:09 PM   #2
Couling
Member
 
Registered: Oct 2007
Posts: 30

Original Poster
Rep: Reputation: 15
Solved it.

It turns out there were a number of things wrong. To get mod_auth_pam you appear to need the authentication architecture loaded, but mod_auth_pam is not an auth provider itself, so I had to make sure the following were loaded:

mod_auth_basic
mod_authN_file
mod_authz_user

Once that was done I also needed to set this in the apache config:
AuthBasicAuthoritative off

mod_auth_pam isn't a Basic Auth provider (despite its appearances). The result is that you need to have another auth provider (mod_authn_file is easiest) to fail to find the user first before mod_auth_pam will kick in.

To keep the error log quiet I've also added in an empty auth file and configured apache to use that:
AuthUserFile config/authn

Hope this helps someone else
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Debug apache with core dumps RattleSn@ke Linux - Server 0 11-13-2009 03:07 AM
Apache 2.2 Authentication using PAM DiWi Linux - Server 1 03-07-2008 03:28 PM
Apache + PAM charafantah Linux - Server 0 01-03-2007 06:51 AM
Apache Virtual Host debug on SuSE Ougle SUSE / openSUSE 2 05-13-2005 08:53 AM
can't authenticate in apache using PAM JGarcia Linux - Security 1 09-03-2003 12:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 10:02 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration