LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   What is the alternative to PAM in Slackware? (https://www.linuxquestions.org/questions/slackware-14/what-is-the-alternative-to-pam-in-slackware-4175546370/)

Altiris 06-24-2015 10:24 PM
What is the alternative to PAM in Slackware?
 
For example, a machine I have runs Centos 6 and hosts a website, when I click on a certain link (ive made it do this) a dialog box opens up asking for username/password authentication over https which uses PAM (local accounts are still being used). How could this be done on Slackware without PAM (I am not actually asking how this would get done, but what would be used rather than PAM)?

dijetlo 06-24-2015 11:48 PM
The estimable V. Batts has (more or less) resolved that pesky PAM problem for us, so plain old PAM is an option.

If you don't want to use PAM for a web server, you can use CGI scripts or PHP code to simulate the same functionality, without the security.

Altiris 06-25-2015 12:45 AM
Quote:
Originally Posted by dijetlo (Post 5382625)
The estimable V. Batts has (more or less) resolved that pesky PAM problem for us, so plain old PAM is an option.

If you don't want to use PAM for a web server, you can use CGI scripts or PHP code to simulate the same functionality, without the security.
So, obviously I don't know how this works. How come apache can't just use regular user authentication for this like programs such as postfix/dovecot can? Also, I thought PAM was insecure (or that it's complex which can lead to being insecure for some?)? Just seems confusing to me thats all, why does apache need PAM when other software (even vsftpd) does not need it.

vulcan59 06-25-2015 03:31 AM
Possibly this - https://code.google.com/p/mod-auth-external

This is not a recommendation. I haven't used it and have no idea how secure it is but it may help.

Alien Bob 06-25-2015 06:05 AM
Quote:
Originally Posted by vulcan59 (Post 5382705)
Possibly this - https://code.google.com/p/mod-auth-external

This is not a recommendation. I haven't used it and have no idea how secure it is but it may help.
I use this myself. I have a package here: http://www.slackware.com/~alien/slac...thnz_external/

In your httpd.conf you'd add lines that look like this for a dual authentication against the shadow database (which uses pwauth - included in my package) as well as a speparate htaccess file with custome accounts (for instance people you do not want to give shell access):
Code:
    ......
    <IfModule mod_auth_external.c>
        AddExternalAuth shadow_auth /usr/libexec/pwauth
        SetExternalAuthMethod shadow_auth pipe
    </IfModule>
    ......
    <Directory /some/directory>
        ......
        AuthBasicAuthoritative off
        AuthExternal shadow_auth
        AuthUserFile /some/htaccess/file/with/accounts/not/in/your/passwd
        AuthType Basic
        AuthName "Some protected area"
        require valid-user
        ......
    </Directory>
    ......

dijetlo 06-25-2015 06:44 AM
Quote:
So, obviously I don't know how this works.
No worries, there's a manual.....
The first two paragraphs should help you better understand "why PAM instead of the local authentication subsystem ?".

Quote:
How come apache can't just use regular user authentication
It can and in high security environment, it does (though that's to segregate accounts in the DMZ from domain accounts, which means if you loose control of an asset in the wild lands, it wont create an exploitation path into the domain).

Quote:
I thought PAM was insecure
You have to write rules for it and if you screw that up, you can leave a hole in the system, or conversely you can make the thing so damn secure even you can't get back into it (trust me, I know this for true...)
;)


All times are GMT -5. The time now is 11:26 AM.