Apache module mod_intercept_form_submit ======================================= Apache module to intercept submission of application login forms. It retrieves the login and password information from the POST HTTP request, runs PAM authentication with those credentials, and sets the REMOTE_USER environment variable if the authentication passes. The internal r->user field is also set so other modules can use it (even if the module is invoked very late in the request processing). The lookup_identity_hook from mod_lookup_identity is explicitly called after the r->user is set. If the REMOTE_USER is already set (presumably by some previous module), no authentication takes place. If the PAM authentication fails, environment variable EXTERNAL_AUTH_ERROR is set to the string describing the error. The assumption is that the application will be amended to trust the REMOTE_USER value if it is set and skip its own login/password validation (see the docs/ directory for outline of the interaction). Module configuration -------------------- Module mod_authnz_pam needs to be installed and loaded with LoadModule authnz_pam_module modules/mod_authnz_pam.so because mod_intercept_form_submit uses it to do the actual PAM operations. The mod_intercept_form_submit module needs to be configured for Location that the application uses to process the login form POST requests. The configuration has to specify three values: InterceptFormPAMService name_of_the_PAM_service The PAM service to authenticate against. InterceptFormLogin the_login_field_name Name of the login field in the login form, and thus the login parameter in the POST request. InterceptFormPassword the_password_field_name Name of the password field in the login form, and thus the password parameter in the POST request. All three parameters above need to be specified or the interception will not be enabled. Optional parameters: InterceptFormLoginSkip one_login [or_more_logins] List of logins to ignore (never attempt to authenticate). By default authentication will be attempted for all logins. InterceptFormClearRemoteUserForSkipped on|off When set to on and authentication is skipped for users listed with InterceptFormLoginSkip, clears r->user and REMOTE_USER. Default is off. InterceptFormPasswordRedact on|off When set to on and authentication is attempted (no matter if it passes or fails), the value of the password will be modified in the POST data to string [REDACTED]. Default is off. Example: LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so LoadModule authnz_pam_module modules/mod_authnz_pam.so InterceptFormPAMService http_application_sss InterceptFormLogin login[login] InterceptFormPassword login[password] InterceptFormLoginSkip admin InterceptFormClearRemoteUserForSkipped on InterceptFormPasswordRedact on The PAM service needs to be configured. For the above shown http_application_sss example, file /etc/pam.d/http_application_sss could be created with content auth required pam_sss.so account required pam_sss.so to authenticate against sssd. On SELinux enabled systems, boolean allow_httpd_mod_auth_pam needs to be enabled: setsebool -P allow_httpd_mod_auth_pam 1 Building from sources --------------------- When building from sources, command apxs -i -a -c mod_intercept_form_submit.c -Wall -pedantic should build and install the module. License ------- Copyright 2013--2014 Jan Pazdziora Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.