What is the alternative to PAM in Slackware?

Altiris · 06-24-2015, 10:24 PM

For example, a machine I have runs Centos 6 and hosts a website, when I click on a certain link (ive made it do this) a dialog box opens up asking for username/password authentication over https which uses PAM (local accounts are still being used). How could this be done on Slackware without PAM (I am not actually asking how this would get done, but what would be used rather than PAM)?

dijetlo · 06-24-2015, 11:48 PM

The estimable V. Batts has (more or less) resolved that pesky PAM problem for us, so plain old PAM is an option.

If you don't want to use PAM for a web server, you can use CGI scripts or PHP code to simulate the same functionality, without the security.

Altiris · 06-25-2015, 12:45 AM

Quote:

Originally Posted by dijetlo

The estimable V. Batts has (more or less) resolved that pesky PAM problem for us, so plain old PAM is an option.

If you don't want to use PAM for a web server, you can use CGI scripts or PHP code to simulate the same functionality, without the security.

So, obviously I don't know how this works. How come apache can't just use regular user authentication for this like programs such as postfix/dovecot can? Also, I thought PAM was insecure (or that it's complex which can lead to being insecure for some?)? Just seems confusing to me thats all, why does apache need PAM when other software (even vsftpd) does not need it.

vulcan59 · 06-25-2015, 03:31 AM

Possibly this - https://code.google.com/p/mod-auth-external

This is not a recommendation. I haven't used it and have no idea how secure it is but it may help.

Alien Bob · 06-25-2015, 06:05 AM

Quote:

Originally Posted by vulcan59

Possibly this - https://code.google.com/p/mod-auth-external

This is not a recommendation. I haven't used it and have no idea how secure it is but it may help.

I use this myself. I have a package here: http://www.slackware.com/~alien/slac...thnz_external/

In your httpd.conf you'd add lines that look like this for a dual authentication against the shadow database (which uses pwauth - included in my package) as well as a speparate htaccess file with custome accounts (for instance people you do not want to give shell access):

Code:

    ......
    <IfModule mod_auth_external.c>
        AddExternalAuth shadow_auth /usr/libexec/pwauth
        SetExternalAuthMethod shadow_auth pipe
    </IfModule>
    ......
    <Directory /some/directory>
        ......
        AuthBasicAuthoritative off
        AuthExternal shadow_auth
        AuthUserFile /some/htaccess/file/with/accounts/not/in/your/passwd
        AuthType Basic
        AuthName "Some protected area"
        require valid-user
        ......
    </Directory>
    ......

dijetlo · 06-25-2015, 06:44 AM

Quote:

So, obviously I don't know how this works.

No worries, there's a manual.....
The first two paragraphs should help you better understand "why PAM instead of the local authentication subsystem ?".

Quote:

How come apache can't just use regular user authentication

It can and in high security environment, it does (though that's to segregate accounts in the DMZ from domain accounts, which means if you loose control of an asset in the wild lands, it wont create an exploitation path into the domain).

Quote:

I thought PAM was insecure

You have to write rules for it and if you screw that up, you can leave a hole in the system, or conversely you can make the thing so damn secure even you can't get back into it (trust me, I know this for true...)