diff options
| author | Jan Pazdziora <jpazdziora@redhat.com> | 2020-07-09 14:12:20 +0200 |
|---|---|---|
| committer | Jan Pazdziora <jpazdziora@redhat.com> | 2020-07-09 16:19:25 +0200 |
| commit | 025f62adcd1fe0d74264f7ee28efc757b75d5152 (patch) | |
| tree | 87b9dd1bfa2eedb4935b0f8c33b8c705dfcd6e0a | |
| parent | 622996a9a7d462cdb51cd2a2c5ecd3b00bb48b85 (diff) | |
| download | mod_authnz_pam-025f62adcd1fe0d74264f7ee28efc757b75d5152.tar.gz mod_authnz_pam-025f62adcd1fe0d74264f7ee28efc757b75d5152.tar.xz mod_authnz_pam-025f62adcd1fe0d74264f7ee28efc757b75d5152.zip | |
Clarify account behaviour with AuthBasicProvider and interaction with Require pam-account.
| -rw-r--r-- | README | 27 | ||||
| -rw-r--r-- | tests/auth.conf | 18 | ||||
| -rwxr-xr-x | tests/config.sh | 2 | ||||
| -rwxr-xr-x | tests/pam-exec | 12 | ||||
| -rwxr-xr-x | tests/run.sh | 18 |
5 files changed, 74 insertions, 3 deletions
@@ -68,6 +68,31 @@ tlwiki example, file /etc/pam.d/tlwiki could be created with content to authenticate against sssd. +As part of the Basic Authentication operation, both PAM authentication +and PAM account verification (auth and account in PAM service +configuration) are run. This is to ensure that the HTTP status 401 +is returned when the user is not permitted to log in, allowing fallback +to different authentication mechanism. That also means that for the +above example + + AuthBasicProvider PAM + AuthPAMService tlwiki + +it is not necessary to use + + Require pam-account tlwiki + +and + + Require valid-user + +is enough because the account verification will be run as part of the +HTTP authentication. In fact, using Require pam-account with the same +PAM service name will cause the account PAM checks to be run twice. +On the other hand, it is possible to configure Require pam-account +with different PAM service name than the AuthPAMService value and get +two separate account PAM checks during the Basic Authentication. + Handling expired password: AuthPAMExpiredRedirect <URL> @@ -111,7 +136,7 @@ should build and install the module. License ------- -Copyright 2014--2018 Jan Pazdziora +Copyright 2014--2020 Jan Pazdziora Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/tests/auth.conf b/tests/auth.conf index 25975c5..481db08 100644 --- a/tests/auth.conf +++ b/tests/auth.conf @@ -17,3 +17,21 @@ ScriptAlias /authn /var/www/cgi-bin/auth.cgi AuthPAMService web Require valid-user </LocationMatch> + +ScriptAlias /authnp /var/www/cgi-bin/auth.cgi +<LocationMatch ^/authnp> + AuthType Basic + AuthName "private area" + AuthBasicProvider PAM + AuthPAMService web + Require pam-account web +</LocationMatch> + +ScriptAlias /authnp2 /var/www/cgi-bin/auth.cgi +<LocationMatch ^/authnp2> + AuthType Basic + AuthName "private area" + AuthBasicProvider PAM + AuthPAMService web + Require pam-account web2 +</LocationMatch> diff --git a/tests/config.sh b/tests/config.sh index 2dd1323..131767e 100755 --- a/tests/config.sh +++ b/tests/config.sh @@ -6,9 +6,11 @@ set -x sed -i 's/^MaxClients.*/MaxClients 1/' /etc/httpd/conf/httpd.conf mkdir -p /etc/pam-auth mkdir -p /etc/pam-account +mkdir -p /etc/pam-account2 cp -p tests/auth.cgi /var/www/cgi-bin/auth.cgi cp -p tests/pam-exec /usr/bin/pam-exec cp tests/pam-web /etc/pam.d/web +cp tests/pam-web /etc/pam.d/web2 chmod a+x /var/log/httpd touch /var/log/httpd/pam_exec.log chown apache /var/log/httpd/pam_exec.log diff --git a/tests/pam-exec b/tests/pam-exec index 81b3d12..4d7c114 100755 --- a/tests/pam-exec +++ b/tests/pam-exec @@ -3,7 +3,11 @@ echo "$0: $PAM_TYPE $PAM_USER" if [ "$PAM_TYPE" == 'auth' ] ; then - PAM_FILE="/etc/pam-auth/$PAM_USER" + if [ "$PAM_SERVICE" = 'web2' ] ; then + PAM_FILE="/etc/pam-auth2/$PAM_USER" + else + PAM_FILE="/etc/pam-auth/$PAM_USER" + fi if ! [ -f $PAM_FILE ] ; then echo "No [$PAM_FILE] for user [$PAM_USER]" >&2 exit 2 @@ -20,7 +24,11 @@ if [ "$PAM_TYPE" == 'auth' ] ; then fi if [ "$PAM_TYPE" == 'account' ] ; then - PAM_FILE="/etc/pam-account/$PAM_USER" + if [ "$PAM_SERVICE" = 'web2' ] ; then + PAM_FILE="/etc/pam-account2/$PAM_USER" + else + PAM_FILE="/etc/pam-account/$PAM_USER" + fi if ! [ -f $PAM_FILE ] ; then echo "No [$PAM_FILE] for user [$PAM_USER]" >&2 exit 2 diff --git a/tests/run.sh b/tests/run.sh index 4fcc98e..521652e 100755 --- a/tests/run.sh +++ b/tests/run.sh @@ -11,6 +11,15 @@ for i in $( seq 1 10 ) ; do sleep 3 done +cp /var/log/httpd/pam_exec.log /var/log/httpd/pam_exec.log.old + +function next_log () { set +x + tail -c +$(( $( stat -c%s /var/log/httpd/pam_exec.log.old ) + 1 )) /var/log/httpd/pam_exec.log | sed 's/^/:: /' + # echo '###' >> /var/log/httpd/pam_exec.log + cp /var/log/httpd/pam_exec.log /var/log/httpd/pam_exec.log.old + set -x +} + rm -f /etc/pam-auth/* echo "Testing Require pam-account" @@ -26,8 +35,17 @@ touch /etc/pam-auth/bob curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 echo Secret > /etc/pam-auth/bob curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 +next_log > /dev/null touch /etc/pam-account/bob curl -u bob:Secret -s http://localhost/authn | tee /dev/stderr | grep 'User bob' +next_log | grep 'account .bob. ok' | wc -l | grep '^1$' +curl -u bob:Secret -s http://localhost/authnp | tee /dev/stderr | grep 'User bob' +next_log | grep 'account .bob. ok' | wc -l | grep '^2$' +curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authnp2 | tee /dev/stderr | grep 401 +next_log | grep -E 'account .bob. ok|No ./etc/pam-account2/bob' | uniq | wc -l | grep '^2$' +touch /etc/pam-account2/bob +curl -u bob:Secret -s http://localhost/authnp | tee /dev/stderr | grep 'User bob' +next_log | grep 'account .bob. ok' | wc -l | grep '^2$' echo Secret2 > /etc/pam-auth/bob curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 |