mod_auth_pam

Stephen Adler adler at stephenadler.com
Fri Aug 18 11:42:06 EDT 2006 

I've trimmed down the error message and got rid of the ypserv error by 
adding the
following line to /etc/ypserv.conf

172.17.1./255.255.255.0    : *       : shadow.byname    : none

Now for some reason I still have the pam_unix authentication failure...

Aug 18 11:41:39 qmt0 httpd(pam_unix)[20925]: authentication failure; 
logname= uid=48 euid=48 tty= ruser= rhost=  user=adler

:(



Matthew Gillen wrote:
> I don't think that's how PAM authentication works.  The httpd daemon should
> not be making calls directly to NIS.  The local NIS client (ypbind) should be
> doing that on behalf of anything that uses PAM as a backend.  (check for
> yourself: from your log message below, the port that was refused was 34502;
> what does 'rpcinfo -p' return on your webserver machine?  Is 34502 in that list?)
>
> I don't have any better ideas if changing /etc/pam.d/httpd didn't work, but I
> don't think the problem has to do with httpd->ypserver interaction.  More
> likely it's ypbind->ypserver or httpd->ypbind.
>
> Matt
>
> Stephen Adler wrote:
>   
>> I think its coming down to the fact that httpd is on a port which is
>> greater than 1024 and there is something in ypserv.conf about
>> restricting getting shadow.byname to high port number requests.
>>
>> snipit from /etc/ypserv.conf
>> # Not everybody should see the shadow passwords, not secure, since
>> # under MSDOG everbody is root and can access ports < 1024 !!!
>> *                          : *       : shadow.byname    : port
>> *                          : *       : passwd.adjunct.byname : port
>>
>> I need to do more research on ypserv.conf...
>>
>> Matthew Gillen wrote:
>>     
>>> It doesn't seem like this should make a difference, but here's what
>>> mine looks
>>> like:
>>> $ cat /etc/pam.d/httpd
>>> #%PAM-1.0
>>> auth       include      system-auth
>>> account    include      system-auth
>>> # Comment out the previous account line and uncomment the following
>>> line if
>>> # you wish to allow logins that don't have a system account
>>> #account    required     pam_permit.so
>>>
>>>
>>> Stephen Adler wrote:
>>>  
>>>       
>>>> I'm running red hat enterprise linux 4.
>>>>
>>>>
>>>> [root at qmt0 init.d]# cat /etc/pam.d/httpd
>>>> #%PAM-1.0
>>>> auth       required     /lib/security/pam_unix.so
>>>> account    required     /lib/security/pam_unix.so
>>>>
>>>> it is there....
>>>>
>>>> Matthew Gillen wrote:
>>>>    
>>>>         
>>>>> What distro are you using?  Fedora Extras has an mod_auth_pam package
>>>>> that
>>>>> works out of the box for me with NIS.
>>>>>
>>>>> Looking at the file listing for that package, it seems that there is a
>>>>> file it
>>>>> adds:
>>>>>  /etc/pam.d/httpd
>>>>>
>>>>> Do you have that file?
>>>>>
>>>>> Matt
>>>>>
>>>>> Stephen Adler wrote:
>>>>>  
>>>>>      
>>>>>           
>>>>>> I'm trying to get mod_auth_pam working using NIS and I'm having a
>>>>>> bit of
>>>>>> a problem.
>>>>>> I've downloaded mod_auth_pam, (mod_auth_pam-2.0-1.1.1.tar.gz) and did
>>>>>> the required
>>>>>> make; make install.
>>>>>>
>>>>>> I added the lines
>>>>>>
>>>>>> # loading mod_auth_pam module. SA - Fri Aug 18th, 2006
>>>>>> LoadModule auth_pam_module modules/mod_auth_pam.so
>>>>>> LoadModule auth_sys_group_module modules/mod_auth_sys_group.so
>>>>>>
>>>>>> to the /etc/httpd/conf/httpd.conf file
>>>>>>
>>>>>> and restarted httpd. This worked all ok. I then created a directory
>>>>>> /usr/local/www/adler
>>>>>> and put an index.html file there. I also created a file
>>>>>> localusers.conf
>>>>>> with the following
>>>>>> text
>>>>>> #
>>>>>> # Local qmp users web directories
>>>>>> #
>>>>>>
>>>>>> Alias /adler /usr/local/www/adler
>>>>>> <Directory /usr/local/www/adler>
>>>>>>  AuthType Basic
>>>>>>  AuthName "secure area"
>>>>>> #  require group adler
>>>>>>  require user adler
>>>>>> </Directory>
>>>>>>
>>>>>> and put that in /etc/httpd/conf.d directory
>>>>>>
>>>>>> Finally I surfed to http://localhost/adler and the username password
>>>>>> authorization window
>>>>>> pops up. I put in my user name and password and the authorization
>>>>>> fails.
>>>>>> The following
>>>>>> text shows up in the /var/log/messages file
>>>>>>
>>>>>>
>>>>>> Aug 18 10:48:50 qmt0 ypserv[19665]: refused connect from
>>>>>> 172.17.1.2:34502 to procedure ypproc_match
>>>>>> (quantummoleculartech.com,shadow.byname;-1)
>>>>>> Aug 18 10:48:50 qmt0 httpd(pam_unix)[19463]: authentication failure;
>>>>>> logname= uid=48 euid=48 tty= ruser= rhost=  user=adler
>>>>>>
>>>>>>
>>>>>> So, pam authentication is being enabled, but ypserv is refusing the
>>>>>> connection. I've removed /var/yp/securenets file and have restarted
>>>>>> ypserv.
>>>>>>
>>>>>> Any ideas?
>>>>>>
>>>>>> Cheers. Steve.
>>>>>> _______________________________________________
>>>>>> Discuss mailing list
>>>>>> Discuss at blu.org
>>>>>> http://olduvai.blu.org/mailman/listinfo/discuss
>>>>>>             
>>>>>>             
>>>>>         
>>>>>           
>>> _______________________________________________
>>> Discuss mailing list
>>> Discuss at blu.org
>>> http://olduvai.blu.org/mailman/listinfo/discuss
>>>
>>>   
>>>       
>
>

More information about the Discuss mailing list