mod_authnz_pam-1.2.3/0000775000175000017500000000000014175754505014377 5ustar adeltonadeltonmod_authnz_pam-1.2.3/authnz_pam.conf0000664000175000017500000000061412352016300017370 0ustar adeltonadelton # # AuthType Kerberos # AuthName "Kerberos Login" # KrbMethodNegotiate On # KrbMethodK5Passwd Off # KrbAuthRealms EXAMPLE.COM # Krb5KeyTab /etc/http.keytab # KrbLocalUserMapping On # Require pam-account webapp # # # # AuthType Basic # AuthName "private area" # AuthBasicProvider PAM # AuthPAMService webapp # Require valid-user # mod_authnz_pam-1.2.3/authnz_pam.module0000664000175000017500000000007312352016300017727 0ustar adeltonadelton # LoadModule authnz_pam_module modules/mod_authnz_pam.so mod_authnz_pam-1.2.3/LICENSE0000664000175000017500000002613612262452234015401 0ustar adeltonadelton Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. mod_authnz_pam-1.2.3/mod_authnz_pam.c0000664000175000017500000002703414173470327017551 0ustar adeltonadelton /* * Copyright 2014--2022 Jan Pazdziora * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include "apr_general.h" #include "apr_strings.h" #include "apr_md5.h" #include "ap_config.h" #include "ap_provider.h" #include "httpd.h" #include "http_config.h" #include "http_core.h" #include "http_log.h" #include "http_protocol.h" #include "http_request.h" #include "mod_auth.h" #ifdef APLOG_USE_MODULE #define SHOW_MODULE "" #else #define SHOW_MODULE "mod_authnz_pam: " #endif typedef struct { char * pam_service; char * expired_redirect_url; int expired_redirect_status; } authnz_pam_config_rec; static void * create_dir_conf(apr_pool_t * pool, char * dir) { authnz_pam_config_rec * cfg = apr_pcalloc(pool, sizeof(authnz_pam_config_rec)); return cfg; } static const char * set_redirect_and_status(cmd_parms * cmd, void * conf_void, const char * url, const char * status) { authnz_pam_config_rec * cfg = (authnz_pam_config_rec *) conf_void; if (cfg) { cfg->expired_redirect_url = apr_pstrdup(cmd->pool, url); cfg->expired_redirect_status = HTTP_SEE_OTHER; if (status) { cfg->expired_redirect_status = apr_atoi64(status); if (cfg->expired_redirect_status == 0) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, cmd->server, SHOW_MODULE "AuthPAMExpiredRedirect status has to be a number, setting to %d", HTTP_SEE_OTHER); cfg->expired_redirect_status = HTTP_SEE_OTHER; } else if (cfg->expired_redirect_status < 300 || cfg->expired_redirect_status > 399) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, cmd->server, SHOW_MODULE "AuthPAMExpiredRedirect status has to be in the 3xx range, setting to %d", HTTP_SEE_OTHER); cfg->expired_redirect_status = HTTP_SEE_OTHER; } } } return NULL; } static const command_rec authnz_pam_cmds[] = { AP_INIT_TAKE1("AuthPAMService", ap_set_string_slot, (void *)APR_OFFSETOF(authnz_pam_config_rec, pam_service), OR_AUTHCFG, "PAM service to authenticate against"), AP_INIT_TAKE12("AuthPAMExpiredRedirect", set_redirect_and_status, NULL, ACCESS_CONF|OR_AUTHCFG, "URL (and optional status) to redirect to should user have expired credentials"), {NULL} }; static int pam_authenticate_conv(int num_msg, const struct pam_message ** msg, struct pam_response ** resp, void * appdata_ptr) { struct pam_response * response = NULL; if (!msg || !resp || !appdata_ptr) return PAM_CONV_ERR; if (!(response = malloc(num_msg * sizeof(struct pam_response)))) return PAM_CONV_ERR; int i; for (i = 0; i < num_msg; i++) { response[i].resp = 0; response[i].resp_retcode = 0; if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) { if (i == 0) { response[i].resp = strdup(appdata_ptr); } else { response[i].resp = NULL; } } else { free(response); return PAM_CONV_ERR; } } * resp = response; return PAM_SUCCESS; } #if AP_MODULE_MAGIC_AT_LEAST(20111025,1) #else #include #include "apr_lib.h" static const char * ap_escape_urlencoded(apr_pool_t * pool, const char * buffer) { char * copy = apr_palloc(pool, 3 * strlen(buffer) + 1); char * p = copy; while (*buffer) { if (!apr_isalnum(*buffer) && !strchr(".-*_ ", *buffer)) { *p++ = '%'; p += snprintf(p, 3, "%02x", *buffer); } else if (*buffer == ' ') { *p++ = '+'; } else { *p++ = *buffer; } buffer++; } *p = '\0'; return copy; } #endif static const char * format_location(request_rec * r, const char * url, const char *login) { const char * out = ""; const char * p = url; const char * append = NULL; while (*p) { if (*p == '%') { if (*(p + 1) == '%') { append = "%"; } else if (*(p + 1) == 's') { append = ap_construct_url(r->pool, r->uri, r); if (r->args) { append = apr_pstrcat(r->pool, append, "?", r->args, NULL); } } else if (*(p + 1) == 'u') { append = login; } } if (append) { char * prefix = ""; if (p != url) { prefix = apr_pstrndup(r->pool, url, p - url); } out = apr_pstrcat(r->pool, out, prefix, ap_escape_urlencoded(r->pool, append), NULL); p++; url = p + 1; append = NULL; } p++; } if (p != url) { out = apr_pstrcat(r->pool, out, url, NULL); } return out; } module AP_MODULE_DECLARE_DATA authnz_pam_module; #if AP_MODULE_MAGIC_AT_LEAST(20100625,0) static APR_OPTIONAL_FN_TYPE(ap_authn_cache_store) *authn_cache_store = NULL; // copied from socache implementations of dbm and dbd @ http://svn.eu.apache.org/viewvc?view=revision&revision=957072 static void opt_retr(void) { authn_cache_store = APR_RETRIEVE_OPTIONAL_FN(ap_authn_cache_store); } void store_password_to_cache(request_rec * r, const char * login, const char * password) { if (!(authn_cache_store && login && password)) { return; } unsigned char salt[16]; char hash[61]; if (apr_generate_random_bytes(salt, sizeof(salt)) != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, SHOW_MODULE "apr_generate_random_bytes failed, will not cache password"); return; } if (apr_bcrypt_encode(password, 5, salt, sizeof(salt), hash, sizeof(hash)) != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, SHOW_MODULE "apr_bcrypt_encode failed, will not cache password"); return; } authn_cache_store(r, "PAM", login, NULL, hash); } #endif #define _REMOTE_USER_ENV_NAME "REMOTE_USER" #define _EXTERNAL_AUTH_ERROR_ENV_NAME "EXTERNAL_AUTH_ERROR" #define _PAM_STEP_AUTH 1 #define _PAM_STEP_ACCOUNT 2 #define _PAM_STEP_ALL 3 static authn_status pam_authenticate_with_login_password(request_rec * r, const char * pam_service, const char * login, const char * password, int steps) { pam_handle_t * pamh = NULL; struct pam_conv pam_conversation = { &pam_authenticate_conv, (void *) password }; const char * stage = "PAM transaction failed for service"; const char * param = pam_service; int ret; ret = pam_start(pam_service, login, &pam_conversation, &pamh); if (ret == PAM_SUCCESS) { #if AP_MODULE_MAGIC_AT_LEAST(20120211,56) const char * remote_host_or_ip = ap_get_useragent_host(r, REMOTE_NAME, NULL); #else const char * remote_host_or_ip = ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME, NULL); #endif if (remote_host_or_ip) { stage = "PAM pam_set_item PAM_RHOST failed for service"; ret = pam_set_item(pamh, PAM_RHOST, remote_host_or_ip); } } if (ret == PAM_SUCCESS) { if (steps & _PAM_STEP_AUTH) { param = login; stage = "PAM authentication failed for user"; ret = pam_authenticate(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); } if ((ret == PAM_SUCCESS) && (steps & _PAM_STEP_ACCOUNT)) { param = login; stage = "PAM account validation failed for user"; ret = pam_acct_mgmt(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); if (ret == PAM_NEW_AUTHTOK_REQD) { authnz_pam_config_rec * conf = ap_get_module_config(r->per_dir_config, &authnz_pam_module); if (conf && conf->expired_redirect_url) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, SHOW_MODULE "PAM_NEW_AUTHTOK_REQD: redirect to [%s] using [%d]", conf->expired_redirect_url, conf->expired_redirect_status); apr_table_addn(r->headers_out, "Location", format_location(r, conf->expired_redirect_url, login)); r->status = conf->expired_redirect_status; ap_send_error_response(r, 0); return AUTH_DENIED; } } } } if (ret != PAM_SUCCESS) { const char * strerr = pam_strerror(pamh, ret); ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, SHOW_MODULE "%s %s: %s", stage, param, strerr); apr_table_setn(r->subprocess_env, _EXTERNAL_AUTH_ERROR_ENV_NAME, apr_pstrdup(r->pool, strerr)); pam_end(pamh, ret); return AUTH_DENIED; } apr_table_setn(r->subprocess_env, _REMOTE_USER_ENV_NAME, login); r->user = apr_pstrdup(r->pool, login); ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, SHOW_MODULE "PAM authentication passed for user %s", login); pam_end(pamh, ret); #if AP_MODULE_MAGIC_AT_LEAST(20100625,0) if (steps & _PAM_STEP_AUTH) { store_password_to_cache(r, login, password); } #endif return AUTH_GRANTED; } APR_DECLARE_OPTIONAL_FN(authn_status, pam_authenticate_with_login_password, (request_rec * r, const char * pam_service, const char * login, const char * password, int steps)); static authn_status pam_auth_account(request_rec * r, const char * login, const char * password) { authnz_pam_config_rec * conf = ap_get_module_config(r->per_dir_config, &authnz_pam_module); if (!conf->pam_service) { return AUTH_GENERAL_ERROR; } return pam_authenticate_with_login_password(r, conf->pam_service, login, password, _PAM_STEP_ALL); } static const authn_provider authn_pam_provider = { &pam_auth_account, }; #ifdef AUTHN_PROVIDER_VERSION static authz_status check_user_access(request_rec * r, const char * require_args, const void * parsed_require_args) { if (!r->user) { return AUTHZ_DENIED_NO_USER; } const char * pam_service = ap_getword_conf(r->pool, &require_args); if (pam_service && pam_service[0]) { authn_status ret = pam_authenticate_with_login_password(r, pam_service, r->user, NULL, _PAM_STEP_ACCOUNT); if (ret == AUTH_GRANTED) { return AUTHZ_GRANTED; } } return AUTHZ_DENIED; } static const authz_provider authz_pam_provider = { &check_user_access, NULL, }; #else static int check_user_access(request_rec * r) { int m = r->method_number; const apr_array_header_t * reqs_arr = ap_requires(r); if (! reqs_arr) { return DECLINED; } require_line * reqs = (require_line *)reqs_arr->elts; int x; for (x = 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { continue; } const char * t = reqs[x].requirement; const char * w = ap_getword_white(r->pool, &t); if (!strcasecmp(w, "pam-account")) { const char * pam_service = ap_getword_conf(r->pool, &t); if (pam_service && strlen(pam_service)) { authn_status ret = pam_authenticate_with_login_password(r, pam_service, r->user, NULL, _PAM_STEP_ACCOUNT); if (ret == AUTH_GRANTED) { return OK; } } } } return DECLINED; } #endif static void register_hooks(apr_pool_t * p) { #ifdef AUTHN_PROVIDER_VERSION ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, "PAM", AUTHN_PROVIDER_VERSION, &authn_pam_provider, AP_AUTH_INTERNAL_PER_CONF); ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "pam-account", AUTHZ_PROVIDER_VERSION, &authz_pam_provider, AP_AUTH_INTERNAL_PER_CONF); #else ap_register_provider(p, AUTHN_PROVIDER_GROUP, "PAM", "0", &authn_pam_provider); ap_hook_auth_checker(check_user_access, NULL, NULL, APR_HOOK_MIDDLE); #endif APR_REGISTER_OPTIONAL_FN(pam_authenticate_with_login_password); #if AP_MODULE_MAGIC_AT_LEAST(20100625,0) ap_hook_optional_fn_retrieve(opt_retr, NULL, NULL, APR_HOOK_MIDDLE); #endif } #ifdef AP_DECLARE_MODULE AP_DECLARE_MODULE(authnz_pam) #else module AP_MODULE_DECLARE_DATA authnz_pam_module #endif = { STANDARD20_MODULE_STUFF, create_dir_conf, /* Per-directory configuration handler */ NULL, /* Merge handler for per-directory configurations */ NULL, /* Per-server configuration handler */ NULL, /* Merge handler for per-server configurations */ authnz_pam_cmds, /* Any directives we may have for httpd */ register_hooks /* Our hook registering function */ }; mod_authnz_pam-1.2.3/mod_authnz_pam.spec0000664000175000017500000001174014173470327020256 0ustar adeltonadelton%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo 0-0)}} %{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}} %{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}} # /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4 %{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}} %{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}} Summary: PAM authorization checker and PAM Basic Authentication provider Name: mod_authnz_pam Version: 1.2.3 Release: 1%{?dist} License: ASL 2.0 Group: System Environment/Daemons URL: https://www.adelton.com/apache/mod_authnz_pam/ Source0: https://www.adelton.com/apache/mod_authnz_pam/%{name}-%{version}.tar.gz BuildRequires: gcc BuildRequires: httpd-devel BuildRequires: pam-devel BuildRequires: pkgconfig Requires: httpd-mmn = %{_httpd_mmn} Requires: pam # Suppres auto-provides for module DSO per # https://fedoraproject.org/wiki/Packaging:AutoProvidesAndRequiresFiltering#Summary %{?filter_provides_in: %filter_provides_in %{_libdir}/httpd/modules/.*\.so$} %{?filter_setup} %description mod_authnz_pam is a PAM authorization module, supplementing authentication done by other modules, for example mod_auth_kerb; it can also be used as full Basic Authentication provider which runs the [login, password] authentication through the PAM stack. %prep %setup -q -n %{name}-%{version} %build %{_httpd_apxs} -c -Wc,"%{optflags} -Wall -Werror -pedantic -std=c99" -lpam mod_authnz_pam.c %if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" echo > authnz_pam.confx echo "# Load the module in %{_httpd_modconfdir}/55-authnz_pam.conf" >> authnz_pam.confx cat authnz_pam.conf >> authnz_pam.confx %else cat authnz_pam.module > authnz_pam.confx cat authnz_pam.conf >> authnz_pam.confx %endif %install rm -rf $RPM_BUILD_ROOT install -Dm 755 .libs/mod_authnz_pam.so $RPM_BUILD_ROOT%{_httpd_moddir}/mod_authnz_pam.so %if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" # httpd >= 2.4.x install -Dp -m 0644 authnz_pam.module $RPM_BUILD_ROOT%{_httpd_modconfdir}/55-authnz_pam.conf %endif install -Dp -m 0644 authnz_pam.confx $RPM_BUILD_ROOT%{_httpd_confdir}/authnz_pam.conf %files %doc README LICENSE %if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" %config(noreplace) %{_httpd_modconfdir}/55-authnz_pam.conf %endif %config(noreplace) %{_httpd_confdir}/authnz_pam.conf %{_httpd_moddir}/*.so %changelog * Sun Jan 23 2022 Jan Pazdziora - 1.2.3-1 - Change default redirect status for AuthPAMExpiredRedirect to 303 See Other, make it configurable. * Tue Mar 30 2021 Jan Pazdziora - 1.2.2-1 - Use ap_get_useragent_host for interoperability with mod_remoteip. * Thu Jul 09 2020 Jan Pazdziora - 1.2.1-1 - Store password to cache only after passing all PAM checks, including account. * Tue Jul 17 2018 Jan Pazdziora - 1.2.0-1 - Add support for mod_authn_socache. * Fri Feb 23 2018 Jan Pazdziora - 1.1.0-8 - https://fedoraproject.org/wiki/Packaging:C_and_C%2B%2B#BuildRequires_and_Requires * Fri Feb 09 2018 Igor Gnatenko - 1.1.0-7 - Escape macros in %%changelog * Tue Nov 22 2016 Jan Pazdziora - 1.1.0-1 - Logging improvements; success logging moved from notice to info level. - Fix redirect for AuthPAMExpiredRedirect with Basic Auth. - Fix AuthPAMExpiredRedirect %%s escaping on Apache 2.2. * Mon Mar 21 2016 Jan Pazdziora - 1.0.2-1 - 1319166 - the Requires(pre) httpd does not seem to be needed. * Tue Nov 10 2015 Jan Pazdziora - 1.0.1-1 - Fix handling of pre-auth / OTP / 2FA situations. * Thu Jun 25 2015 Jan Pazdziora - 1.0.0-1 - Add support for AuthPAMExpiredRedirect. * Mon Jun 23 2014 Jan Pazdziora - 0.9.3-1 - Fix module loading/configuration for Apache 2.4. - Set PAM_RHOST. * Tue May 13 2014 Jan Pazdziora - 0.9.2-1 - Silence compile warnings by specifying C99. * Tue Apr 15 2014 Jan Pazdziora - 0.9.1-1 - Fix error message when pam_authenticate step is skipped. * Wed Mar 19 2014 Jan Pazdziora - 0.9-1 - One more function made static for proper isolation. * Thu Jan 30 2014 Jan Pazdziora - 0.8.1-1 - Fixing regression from previous change. * Thu Jan 30 2014 Jan Pazdziora - 0.8-1 - 1058805 - .spec changes for Fedora package review. * Thu Jan 09 2014 Jan Pazdziora - 0.7-1 - Declare all functions static for proper isolation. * Wed Jan 08 2014 Jan Pazdziora - 0.6-1 - Make pam_authenticate_with_login_password available for other modules. - Reformat documentation to make the Basic Auth usage less prominent. * Mon Jan 06 2014 Jan Pazdziora - 0.5-1 - Initial release. mod_authnz_pam-1.2.3/README0000664000175000017500000001071614173470327015257 0ustar adeltonadelton Apache module mod_authnz_pam ============================ Apache module mod_authnz_pam serves as PAM authorization module, supplementing authentication done by other modules, for example mod_auth_kerb. It can also be used as a full Basic Authentication provider for testing purposes, running the [login, password] authentication through the PAM stack. The primary intended use is in connection with sssd and pam_sss.so. Module configuration -------------------- Authorization: Let us assume there is already Kerberos authentication configured: AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/http.keytab KrbLocalUserMapping On Require valid-user The Require valid-user line can be replaced by Require pam-account pam_service_name for example to run authorization check for the Kerberos-authenticated user using the PAM service pam_service_name. This can be useful to get for example host-based access control from an IPA server for the web service. Basic Authentication: The module is configured using the AuthBasicProvider PAM directive and then by specifying the PAM service name: AuthPAMService name_of_the_PAM_service The PAM service to authenticate against. Example: AuthType Basic AuthName "private area" AuthBasicProvider PAM AuthPAMService tlwiki Require valid-user The PAM service needs to be configured. For the above shown tlwiki example, file /etc/pam.d/tlwiki could be created with content auth required pam_sss.so account required pam_sss.so to authenticate against sssd. As part of the Basic Authentication operation, both PAM authentication and PAM account verification (auth and account in PAM service configuration) are run. This is to ensure that the HTTP status 401 is returned when the user is not permitted to log in, allowing fallback to different authentication mechanism. That also means that for the above example AuthBasicProvider PAM AuthPAMService tlwiki it is not necessary to use Require pam-account tlwiki and Require valid-user is enough because the account verification will be run as part of the HTTP authentication. In fact, using Require pam-account with the same PAM service name will cause the account PAM checks to be run twice. On the other hand, it is possible to configure Require pam-account with different PAM service name than the AuthPAMService value and get two separate account PAM checks during the Basic Authentication. Handling expired password: AuthPAMExpiredRedirect [] For both the authorization and HTTP Basic authentication case, if the password the user has presented has expired (PAM return codes PAM_CRED_EXPIRED or PAM_NEW_AUTHTOK_REQD), when AuthPAMExpiredRedirect is specified with a URL, redirect is made to that location. For FreeIPA server, the setting would be AuthPAMExpiredRedirect https:///ipa/ui/reset_password.html It is also possible to use placeholders in the URL that will be replaced with current location (for backreference) and username (to prefill) on the target page: %s URL of the current page. %u The username that was used for the PAM authentication. %% The character % itself. For example for FreeIPA 4.1+, the value can actually be https:///ipa/ui/reset_password.html?url=%s By default the redirect is done using 303 See Other. The redirect status can be specified as numerical value in the 3xx range. SELinux: On SELinux enabled systems, boolean httpd_mod_auth_pam needs to be enabled: setsebool -P httpd_mod_auth_pam 1 Building from sources --------------------- When building from sources, command apxs -i -a -c mod_authnz_pam.c -lpam -Wall -pedantic should build and install the module. License ------- Copyright 2014--2022 Jan Pazdziora Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. mod_authnz_pam-1.2.3/tests/0000775000175000017500000000000014173470327015534 5ustar adeltonadeltonmod_authnz_pam-1.2.3/tests/auth-socache.conf0000664000175000017500000000034713324361712020745 0ustar adeltonadelton LoadModule authn_socache_module modules/mod_authn_socache.so ScriptAlias /authn-cached /var/www/cgi-bin/auth.cgi AuthBasicProvider socache PAM AuthnCacheProvideFor PAM AuthnCacheTimeout 10 mod_authnz_pam-1.2.3/tests/auth.cgi0000775000175000017500000000025013323320142017142 0ustar adeltonadelton#!/bin/bash echo "Content-Type: text/plain" echo "Pragma: no-cache" echo if [ -n "$REMOTE_USER" ] ; then echo "User $REMOTE_USER." else echo "Not authenticated." fi mod_authnz_pam-1.2.3/tests/build.sh0000775000175000017500000000126613755150641017176 0ustar adeltonadelton#!/bin/bash set -e set -x DNF=yum BUILDDEP_PROVIDER=yum-utils BUILDDEP=yum-builddep if type dnf 2> /dev/null ; then DNF=dnf BUILDDEP_PROVIDER='dnf-command(builddep)' BUILDDEP='dnf builddep' fi $DNF install -y rpm-build "$BUILDDEP_PROVIDER" $BUILDDEP -y mod_authnz_pam.spec NAME_VERSION=$( rpm -q --qf '%{name}-%{version}\n' --specfile mod_authnz_pam.spec | head -1 ) mkdir .$NAME_VERSION cp -rp * .$NAME_VERSION mv .$NAME_VERSION $NAME_VERSION mkdir -p ~/rpmbuild/SOURCES tar cvzf ~/rpmbuild/SOURCES/$NAME_VERSION.tar.gz $NAME_VERSION rpmbuild -bb --define "dist $( rpm --eval '%{dist}' ).localbuild" mod_authnz_pam.spec $DNF install -y ~/rpmbuild/RPMS/*/$NAME_VERSION-*.localbuild.*.rpm mod_authnz_pam-1.2.3/tests/pam-exec0000775000175000017500000000174213753441136017164 0ustar adeltonadelton#!/bin/bash echo "$0: $PAM_TYPE $PAM_USER" if [ "$PAM_TYPE" == 'auth' ] ; then if [ "$PAM_SERVICE" = 'web2' ] ; then PAM_FILE="/etc/pam-auth2/$PAM_USER" else PAM_FILE="/etc/pam-auth/$PAM_USER" fi if ! [ -f $PAM_FILE ] ; then echo "No [$PAM_FILE] for user [$PAM_USER]" >&2 exit 2 fi # For auth, we compare the passwords read PASSWORD read CHECK_PASSWORD < $PAM_FILE if [ "$PASSWORD" == "$CHECK_PASSWORD" ] ; then echo "$0: auth [$PAM_USER] ok" exit 0 fi echo "Provided password [$PASSWORD] does not match expected [$CHECK_PASSWORD]" >&2 exit 3 fi if [ "$PAM_TYPE" == 'account' ] ; then if [ "$PAM_SERVICE" = 'web2' ] ; then PAM_FILE="/etc/pam-account2/$PAM_USER" else PAM_FILE="/etc/pam-account/$PAM_USER" fi if ! [ -f $PAM_FILE ] ; then echo "No [$PAM_FILE] for user [$PAM_USER]" >&2 exit 2 fi # For account check, existing file is enough to allow access echo "$0: account [$PAM_USER] ok" exit 0 fi echo "Unsupported PAM_TYPE [$PAM_TYPE]" >&2 exit 4 mod_authnz_pam-1.2.3/tests/pam-web0000664000175000017500000000026613436201231016776 0ustar adeltonadeltonauth optional pam_exec.so debug expose_authtok log=/var/log/httpd/pam_exec.log /usr/bin/pam-exec account required pam_exec.so debug log=/var/log/httpd/pam_exec.log /usr/bin/pam-exec mod_authnz_pam-1.2.3/tests/Dockerfile0000664000175000017500000000023114172532465017523 0ustar adeltonadeltonFROM registry.fedoraproject.org/fedora COPY . /src/ WORKDIR /src RUN tests/build.sh RUN tests/config.sh ENTRYPOINT [ "/usr/sbin/httpd", "-DFOREGROUND" ] mod_authnz_pam-1.2.3/tests/auth.conf0000664000175000017500000000310214173470327017340 0ustar adeltonadeltonLoadModule authnz_pam_module modules/mod_authnz_pam.so ScriptAlias /authz /var/www/cgi-bin/auth.cgi AuthType Basic AuthName "private area" AuthBasicProvider file AuthUserFile /etc/htpasswd Require pam-account web ScriptAlias /authn /var/www/cgi-bin/auth.cgi AuthType Basic AuthName "private area" AuthBasicProvider PAM AuthPAMService web Require valid-user ScriptAlias /authnp /var/www/cgi-bin/auth.cgi AuthType Basic AuthName "private area" AuthBasicProvider PAM AuthPAMService web Require pam-account web ScriptAlias /authnp2 /var/www/cgi-bin/auth.cgi AuthType Basic AuthName "private area" AuthBasicProvider PAM AuthPAMService web Require pam-account web2 ScriptAlias /authnp3 /var/www/cgi-bin/auth.cgi AuthType Basic AuthName "private area" AuthBasicProvider PAM AuthPAMService webl Require pam-account webl ScriptAlias /authnp4 /var/www/cgi-bin/auth.cgi AuthType Basic AuthName "private area" AuthBasicProvider PAM AuthPAMService webl AuthPAMExpiredRedirect http://localhost/fix-password?return=%s&percent=%%&user=%u Require pam-account webl ScriptAlias /authnp5 /var/www/cgi-bin/auth.cgi AuthType Basic AuthName "private area" AuthBasicProvider PAM AuthPAMService webl AuthPAMExpiredRedirect http://localhost/login?realm=ježek&return=%s 307 Require pam-account webl mod_authnz_pam-1.2.3/tests/config.sh0000775000175000017500000000134014173470327017336 0ustar adeltonadelton#!/bin/bash set -e set -x sed -i 's/^MaxClients.*/MaxClients 1/' /etc/httpd/conf/httpd.conf mkdir -p /etc/pam-auth mkdir -p /etc/pam-account mkdir -p /etc/pam-account2 cp -p tests/auth.cgi /var/www/cgi-bin/auth.cgi cp -p tests/pam-exec /usr/bin/pam-exec cp tests/pam-web /etc/pam.d/web cp tests/pam-web /etc/pam.d/web2 cp tests/pam-webl /etc/pam.d/webl chmod a+x /var/log/httpd touch /var/log/httpd/pam_exec.log chown apache /var/log/httpd/pam_exec.log cp tests/auth.conf /etc/httpd/conf.d/ if rpm -ql httpd | grep mod_authn_socache ; then cat tests/auth-socache.conf >> /etc/httpd/conf.d/auth.conf fi htpasswd -bc /etc/htpasswd alice Tajnost useradd user1 echo user1:heslo1 | chpasswd chgrp apache /etc/shadow chmod g+r /etc/shadow mod_authnz_pam-1.2.3/tests/pam-webl0000664000175000017500000000007114173470327017161 0ustar adeltonadeltonauth sufficient pam_unix.so account required pam_unix.so mod_authnz_pam-1.2.3/tests/run.sh0000775000175000017500000001074514173470327016706 0ustar adeltonadelton#!/bin/bash set -e set -x echo "Wait for the HTTP server to start ..." for i in $( seq 1 10 ) ; do if curl -s -o /dev/null http://localhost/ ; then break fi sleep 3 done cp /var/log/httpd/pam_exec.log /var/log/httpd/pam_exec.log.old function next_log () { set +x tail -c +$(( $( stat -c%s /var/log/httpd/pam_exec.log.old ) + 1 )) /var/log/httpd/pam_exec.log | sed 's/^/:: /' # echo '###' >> /var/log/httpd/pam_exec.log cp /var/log/httpd/pam_exec.log /var/log/httpd/pam_exec.log.old set -x } rm -f /etc/pam-auth/* echo "Testing Require pam-account" curl -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401 curl -u alice:Tajnost -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401 touch /etc/pam-account/alice curl -u alice:Tajnost -s http://localhost/authz | tee /dev/stderr | grep 'User alice' echo "Testing AuthBasicProvider PAM" curl -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 touch /etc/pam-auth/bob curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 echo Secret > /etc/pam-auth/bob curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 next_log > /dev/null touch /etc/pam-account/bob curl -u bob:Secret -s http://localhost/authn | tee /dev/stderr | grep 'User bob' next_log | grep 'account .bob. ok' | wc -l | grep '^1$' curl -u bob:Secret -s http://localhost/authnp | tee /dev/stderr | grep 'User bob' next_log | grep 'account .bob. ok' | wc -l | grep '^2$' curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authnp2 | tee /dev/stderr | grep 401 next_log | grep -E 'account .bob. ok|No ./etc/pam-account2/bob' | uniq | wc -l | grep '^2$' touch /etc/pam-account2/bob curl -u bob:Secret -s http://localhost/authnp | tee /dev/stderr | grep 'User bob' next_log | grep 'account .bob. ok' | wc -l | grep '^2$' echo Secret2 > /etc/pam-auth/bob curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 curl -u userx:heslox -s http://localhost/authnp3 | tee /dev/stderr | grep 401 curl -u user1:heslox -s http://localhost/authnp3 | tee /dev/stderr | grep 401 curl -u user1:heslo1 -s http://localhost/authnp3 | tee /dev/stderr | grep 'User user1' curl -u user1:heslo1 -s http://localhost/authnp4 | tee /dev/stderr | grep 'User user1' chage -d $(date -d -2days +%Y-%m-%d) -M 1 user1 curl -u user1:heslo1 -s http://localhost/authnp3 | tee /dev/stderr | grep 401 curl -i -u user1:heslo1 -s 'http://localhost/authnp4?id=123&data=M%26M' | tee /dev/stderr | grep -F -e 'Location: http://localhost/fix-password?return=http%3a%2f%2flocalhost%2fauthnp4%3fid%3d123%26data%3dM%2526M&percent=%25&user=user1' -e 'HTTP/1.1 303 See Other' | wc -l | grep 2 curl -i -u user1:heslo1 -s 'http://localhost/authnp5?data=křížala' | tee /dev/stderr | grep -F -e 'Location: http://localhost/login?realm=ježek&return=http%3a%2f%2flocalhost%2fauthnp5%3fdata%3dk%c5%99%c3%ad%c5%beala' -e 'HTTP/1.1 307 Temporary Redirect' | wc -l | grep 2 chage -d $(date -d -2days +%Y-%m-%d) -M 3 user1 curl -u user1:heslo1 -s http://localhost/authnp3 | tee /dev/stderr | grep 'User user1' curl -u user1:heslo1 -s http://localhost/authnp4 | tee /dev/stderr | grep 'User user1' if rpm -ql httpd | grep mod_authn_socache ; then echo "Testing AuthBasicProvider socache PAM + AuthnCacheProvideFor PAM" rm /etc/pam-account/bob curl -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401 echo Secret > /etc/pam-auth/bob curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401 # rerun the same request, verify that passing auth did not store password into cache curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401 touch /etc/pam-account/bob curl -u bob:Secret -s http://localhost/authn-cached | tee /dev/stderr | grep 'User bob' echo Secret2 > /etc/pam-auth/bob curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 curl -u bob:Secret -s http://localhost/authn-cached | tee /dev/stderr | grep 'User bob' sleep 11 curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401 fi echo OK $0.