mod_auth_pam 2.2.X

[Jason Keltz <ja...@cse.yorku.ca>]

I apologize in advance if this is not the right forum for this type of 
question -- if so, please accept my apology and let me know where I 
might address this problem...

-----

The currently available version of mod_auth_pam for Apache 2.0.X series 
does not work with the new Apache 2.2.X authentication scheme when 
combined with basic authentication since mod_auth_pam doesn't register a 
provider.  Surprisingly enough, I can't find any references on the web 
to people trying to use mod_auth_pam with Apache 2.2.X which surprises 
me.  I was looking at how I might attempt to patch the current module to 
work with 2.2.X.  I can't seem to find much documentation on the new 
"aaa" scheme in 2.2.X, but it doesn't look overly complicated to do when 
I look at say, mod_authn_file.  I'm confused by an aspect of the new 
2.2.X authentication scheme which I was hoping someone might be able to 
help with.  If I want to port the "AuthPAM_Enabled on|off" into the new 
module, where would it go?  It looks like there should be a 
mod_authn_pam which just handles only the pam authentication, and then 
say, a mod_authz_pamgroup that handles the "require group" directive, 
but it isn't clear to me where the enable flag belongs?   I looked 
through the modules that come with Apache.  The only module that has an 
enable type flag seems to be the ldap module, yet all of the references 
to the enable flag are commented out in that code.  I wonder why? 
Further, how about the AuthFailDelay, and AuthPAM_FallThrough? Would 
these go into mod_authn_pam as well?  As far as I can see, mod_authz_pam 
doesn't seem necessary since the basic authentication covers the use of 
"require user"...

Any help would be appreciated.  I'm anxious to make the change because 
I'm upgrading our 1.3.X servers to 2.2.X, and this is holding me back 
since we're using mod_auth_pam in a couple of important places.

Jason.

Re: mod_auth_pam 2.2.X

[Brad Nicholes <BN...@novell.com>]

>>> On 8/2/2006 at 10:53 AM, in message <44...@cse.yorku.ca>,
Jason
Keltz <ja...@cse.yorku.ca> wrote:
> Brad Nicholes wrote:
>>>>> On 8/2/2006 at 9:01 AM, in message
<44...@cse.yorku.ca>,
>> Jason Keltz
>> 
>> Understand that I have not looked at the auth_pam module so I don't
>> know exactly what all of the different configuration directives do.

>> However it is highly likely that you do not even need the
>> AuthPAM_Enabled directive any more.  Under the new architecture,
>> enabling or disabling an authn module is done my simply including it
or
>> excluding it from the AuthXXXProvider directive.
> 
> Actually, that makes a lot of sense.  However, I have another similar

> difficulty.  I had also added my own "AuthPAMEngine" command to 
> mod_auth_pam that would only work from the server configuration.  It
is 
> a very simple flag that could be toggled at the server level.  This
way, 
> I could allow mod_auth_pam to be used on only specific virtual
servers. 
>   I enabled it only in our SSL configuration.  Could that also be 
> integrated into the mod_authn_pam module?   Is there a better way in

> Apache that permits the web site owner to restrict access to modules

> from within particular virtual servers?
> 

You could implement an AuthPAMEngine directive in mod_authn_pam but you
would have to decide exactly what that means.  Keep in mind that under
the authnz architecture, every provider listed in a specific
AuthnXXXProvider directive will be called and must return some kind of
AUTH_XXX code.   If a provider is not listed in a particular
AuthnXXXProvider directive for a <Directory> or <Location> block, the
provider will not be called for that block.  So like I mentioned before,
enabling or disabling it is simply a matter of including it in the
AuthnXXXProvider directive or not.  If you did implement an
AuthPAMEngine directive, you would need to decide what 'AuthPAMEngine
Off' means as far as which auth code should be returned.  If you return
an AUTH_DENIED then other authn providers that follow your authn_pam
provider that are listed in the AuthnXXXProvider directive would be
called and allowed to authenticate the user, otherwise the request would
be denied.  If you returned AUTH_GRANTED then only the authn providers
that were listed previous to your authn_pam provider would have been
called and authentication would stop at that point and granted.  There
isn't a DECLINED option anymore.  Basically if your PAM provider is
never included in any AuthnXXXProvider directive, then it is never
called and is just dead code (ie, disabled).

Brad

Re: mod_auth_pam 2.2.X

[Jason Keltz <ja...@cse.yorku.ca>]

Brad Nicholes wrote:
>>>> On 8/2/2006 at 9:01 AM, in message <44...@cse.yorku.ca>,
> Jason Keltz
>> I'm confused by an aspect of the new 
>> 2.2.X authentication scheme which I was hoping someone might be able
> to 
>> help with.  If I want to port the "AuthPAM_Enabled on|off" into the
> new 
>> module, where would it go?  It looks like there should be a 
>> mod_authn_pam which just handles only the pam authentication, and
> then 
>> say, a mod_authz_pamgroup that handles the "require group" directive,
> 
>> but it isn't clear to me where the enable flag belongs?   I looked 
>> through the modules that come with Apache.  The only module that has
> an 
>> enable type flag seems to be the ldap module, yet all of the
> references 
>> to the enable flag are commented out in that code.  I wonder why? 
> 
> Understand that I have not looked at the auth_pam module so I don't
> know exactly what all of the different configuration directives do. 
> However it is highly likely that you do not even need the
> AuthPAM_Enabled directive any more.  Under the new architecture,
> enabling or disabling an authn module is done my simply including it or
> excluding it from the AuthXXXProvider directive.

Actually, that makes a lot of sense.  However, I have another similar 
difficulty.  I had also added my own "AuthPAMEngine" command to 
mod_auth_pam that would only work from the server configuration.  It is 
a very simple flag that could be toggled at the server level.  This way, 
I could allow mod_auth_pam to be used on only specific virtual servers. 
  I enabled it only in our SSL configuration.  Could that also be 
integrated into the mod_authn_pam module?   Is there a better way in 
Apache that permits the web site owner to restrict access to modules 
from within particular virtual servers?

>> Further, how about the AuthFailDelay, and AuthPAM_FallThrough? Would
> 
>> these go into mod_authn_pam as well?  As far as I can see,
> mod_authz_pam 
>> doesn't seem necessary since the basic authentication covers the use
> of 
>> "require user"...
> 
> I would guess that the only thing required is that you create a
> mod_authn_pam authentication module and that an authz_pam module is not
> needed.  Unless you have the need to implement a very specialized type
> of authorization, you can simply rely on the existing authz modules to
> do the work.  However, if you do need a specialized PAM group
> authorization for example, rather than implementing another 'Require
> group xxx' directive, you would need to implement a 'pam-group'
> authorization type.  See mod_authnz_ldap or mod_authz_dbm as examples.

Excellent.. Thanks for that..

Jason.

Re: mod_auth_pam 2.2.X

[Brad Nicholes <BN...@novell.com>]

>>> On 8/2/2006 at 9:01 AM, in message <44...@cse.yorku.ca>,
Jason Keltz
<ja...@cse.yorku.ca> wrote:
> I apologize in advance if this is not the right forum for this type
of 
> question -- if so, please accept my apology and let me know where I 
> might address this problem...
> 
> -----
> 
> The currently available version of mod_auth_pam for Apache 2.0.X
series 
> does not work with the new Apache 2.2.X authentication scheme when 
> combined with basic authentication since mod_auth_pam doesn't
register a 
> provider.  Surprisingly enough, I can't find any references on the
web 
> to people trying to use mod_auth_pam with Apache 2.2.X which
surprises 
> me.  I was looking at how I might attempt to patch the current module
to 
> work with 2.2.X.  I can't seem to find much documentation on the new

> "aaa" scheme in 2.2.X, but it doesn't look overly complicated to do
when 
> I look at say, mod_authn_file.  

You are right, there isn't much development documentation which covers
converting an older auth module to the new authnz architecture.  The
best bet is to take the existing modules as examples.

>I'm confused by an aspect of the new 
> 2.2.X authentication scheme which I was hoping someone might be able
to 
> help with.  If I want to port the "AuthPAM_Enabled on|off" into the
new 
> module, where would it go?  It looks like there should be a 
> mod_authn_pam which just handles only the pam authentication, and
then 
> say, a mod_authz_pamgroup that handles the "require group" directive,

> but it isn't clear to me where the enable flag belongs?   I looked 
> through the modules that come with Apache.  The only module that has
an 
> enable type flag seems to be the ldap module, yet all of the
references 
> to the enable flag are commented out in that code.  I wonder why? 

Understand that I have not looked at the auth_pam module so I don't
know exactly what all of the different configuration directives do. 
However it is highly likely that you do not even need the
AuthPAM_Enabled directive any more.  Under the new architecture,
enabling or disabling an authn module is done my simply including it or
excluding it from the AuthXXXProvider directive.


> Further, how about the AuthFailDelay, and AuthPAM_FallThrough? Would

> these go into mod_authn_pam as well?  As far as I can see,
mod_authz_pam 
> doesn't seem necessary since the basic authentication covers the use
of 
> "require user"...

I would guess that the only thing required is that you create a
mod_authn_pam authentication module and that an authz_pam module is not
needed.  Unless you have the need to implement a very specialized type
of authorization, you can simply rely on the existing authz modules to
do the work.  However, if you do need a specialized PAM group
authorization for example, rather than implementing another 'Require
group xxx' directive, you would need to implement a 'pam-group'
authorization type.  See mod_authnz_ldap or mod_authz_dbm as examples.


Brad