I've made an ebuild for the package mod_auth_pam. This will enable apache users' authentication using PAM. Only apache2 is supported (at the moment). Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 17217 [details] the ebuild script and configuration's files
Created attachment 17218 [details] the ebuild script and configuration's files
Definitely one for the web-apps herd to look at. Donnie - do you particularly mind if someone else looks at this? Thanks, Stu
No please go ahead if you wish. I've not found time to look at it is all, plus I dont really have any need to authenticate this way. Thanks Stew.
Thanks, Donnie - I'll try and get to this when I can. Stu
Stuart, It's Donny, as you should cleary see. Sorry, but twice starts to get under your skin ya know...
Sorry about that - not intentional.
I tested the ebuild, and it worked flawlessly! Please admit into portage, and thanks, I needed this one! :) Best regards Stian B. Barmen
What is the status of this? Is it going to be added to Portage?
I'd be really very happy if someone responsible would add this into the portage tree. the ebuild is working (many thanks). however, I'd propose to add a shadow group, and simply add all users/processes who may have read(!) access to /etc/shadow. Greets, Christian Parpart.
Thanks a lot for your work. Before somebody puts this into portage (which I *highly* recommend, especially regarding the demand for a solution like this on various forums) I'd suggest the following: 1. Change the version number. The ebuild is based on version 2 of the module (version 1 is for Apache 1), but the ebuild has a major number 1, which is confusing. 2. Do not leave out mod_auth_sys_group in files/10_mod_auth_pam.conf! It took me quite some time to find why I was able to "require user x y z", but not "require group x y z". Others have had this problem, too. I don't think there is any need to wrap the module with only half of the functionality enabled by default. Apart from this it's working nicely!
Sorry, I forgot to list the contents of the 10_mod_auth_pam.conf file. I just added the auth_sys_group_module line and it's been working fine: #<IfDefine AUTH_PAM> <IfModule !mod_auth_pam.c> LoadModule auth_pam_module extramodules/mod_auth_pam.so LoadModule auth_sys_group_module extramodules/mod_auth_sys_group.so </IfModule> #</IfDefine> #<IfModule mod_auth_pam.c> # AuthPAM_Enabled on # # AuthType Basic # AuthName "secure area" # require group staff # require user webmaster #</IfModule>
if we're going to add auth_sys_group_module to 10_mod_auth_pam.conf, then it seems logical that the auth_sys_group_module should be installed by the ebuild. this requires uncommenting the line that installs this module.
OK, I'll submit soon an updated release with all features enabled. This module require read access (via PAM) to /etc/shadow when pam is configured to use pam_unix.so. As suggested in Comment #10 From Christian Parpart, there should be a system shadow group with all users/processes who may have read(!) access to /etc/shadow added to it. Thers is already that group or any plans to add it?
Yes, atom, of course - I did that but forgot about it the second I had it working. Guess I lost my head somwhere over the clouds ;-) So far this has been working very fine for me and has lifted a big weight from my shoulders. I would really see this one in official portage. I'm not actually sure we should address the "shadow" issue directly, though. Actually, I'm not a big fan of ebuilds messing with my group/password files at all. Instead, I'd rather prefer some kind of informal message concerning the shadow issue after the ebuild completes. Or am I still floating too high here?
I agree ebuilds should not mess with the password/shadow files. Ill have a look at your ebuild tonight and will probably add it tonight as well. Thanks chuck
Looks good. commited. Thanks for the ebuild.
the current ebuild in the portage tree does not install mod_auth_sys_group.so so that the "require group bla" directive does not work. here are the necessary patches against the current ebuild.
Created attachment 47687 [details] diff of the ebuild
Created attachment 47688 [details] diff of mod_auth_pam.conf
wrt the "require group"/mod_auth_sys_group.so problem, please have a look at bug bug: http://bugs.gentoo.org/show_bug.cgi?id=57986
