<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>unixauth (third party plugin)</title> <meta name="viewport" content="width=device-width, initial-scale=1" /> <link rel="stylesheet" href="../../style.css" type="text/css" /> <link rel="stylesheet" href="../../local.css" type="text/css" /> </head> <body> <div class="page"> <div class="pageheader"> <div class="header"> <span> <span class="parentlinks"> <a href="../../index.html">ikiwiki</a>/ <a href="../../plugins.html">plugins</a>/ <a href="../contrib.html">contrib</a>/ </span> <span class="title"> unixauth (third party plugin) </span> </span> </div> </div> <div id="pagebody"> <div id="content" role="main"> <p><span class="infobox"> Plugin: unixauth<br /> Author: <span class="createlink">schmonz</span><br /> Included in ikiwiki: no<br /> Enabled by default: no<br /> Included in <a href="../goodstuff.html">goodstuff</a>: no<br /> Currently enabled: no<br /> </span></p> <div class="infobox"> Available in a <a href="../../git.html">git</a> repository <a href="../../branches.html">branch</a>.<br /> Branch: unixauth<br /> Author: <span class="createlink">schmonz</span><br /> </div> <p>This plugin authenticates users against the Unix user database. It presents a similar UI to <a href="../passwordauth.html">passwordauth</a>, but simpler, as there's no need to be able to register or change one's password.</p> <p>To authenticate, either <a href="http://cr.yp.to/checkpwd.html">checkpassword</a> or <a href="http://www.unixpapa.com/pwauth/">pwauth</a> must be installed and configured. <code>checkpassword</code> is strongly preferred. If your web server runs as an unprivileged user -- as it darn well should! -- then <code>checkpassword</code> needs to be setuid root. (Or your ikiwiki CGI wrapper, I guess, but don't do that.) Other checkpassword implementations are available, notably <a href="http://checkpasswd-pam.sourceforge.net/">checkpassword-pam</a>.</p> <p>Config variables that affect the behavior of <code>unixauth</code>:</p> <ul> <li><code>unixauth_type</code>: defaults to unset, can be "checkpassword" or "pwauth"</li> <li><code>unixauth_command</code>: defaults to unset, should contain the full path and any arguments</li> <li><code>unixauth_requiressl</code>: defaults to 1, can be 0</li> <li><code>sslcookie</code>: needs to be 1 if <code>unixauth_requiressl</code> is 1 (perhaps this should be done automatically?)</li> </ul> <p><strong>Security</strong>: <a href="/security/#index14h2">As with passwordauth</a>, be wary of sending usernames and passwords in cleartext. Unlike passwordauth, sniffing <code>unixauth</code> credentials can get an attacker much further than mere wiki access. Therefore, this plugin defaults to not even <em>displaying</em> the login form fields unless we're running under SSL. Nobody should be able to do anything remotely dumb until the admin has done at least a little thinking. After that, dumb things are always possible. <img src="../../smileys/smile4.png" alt=";-)" /></p> <p><code>unixauth</code> needs the <code>HTTPS</code> environment variable, available in ikiwiki 2.67 or later (fixed in #<a href="http://bugs.debian.org/502047">502047</a>), without which it fails closed.</p> <p>The plugin has not been tested with newer versions of ikiwiki. <span class="createlink">schmonz</span> hopes to have time to polish this plugin soon.</p> </div> </div> <div id="footer" class="pagefooter" role="contentinfo"> <div id="pageinfo"> <div class="tags"> Tags: <a href="../../branches.html" rel="tag">branches</a> <a href="../../git.html" rel="tag">git</a> <a href="../type/auth.html" rel="tag">type/auth</a> </div> <div class="pagedate"> Last edited <span class="date">Tue Feb 26 23:01:54 2019</span> <!-- Created <span class="date">Tue Feb 26 23:01:54 2019</span> --> </div> </div> <!-- from ikiwiki --> </div> </div> </body> </html>