(Note: This readme is just a dump of the webpage, please see
http://www.math.ohio-state.edu/~ccunning/pam_auth.html
for the latest info)
PHP4 Pam Authentication
pam_auth 0.2 released 3/5/01
I finally figured out some problems people were having, this should
fix all errors I'm aware of. If you have problems using this, please
let me know.
Changes:
* Fixed problem that caused build errors on some systems
* Fixed possible core dumps on solaris
* Fixed typo causing errors to not be returned
* Added ability to set the pam servicename in the php.ini
* It now builds as a shared module (although it won't load...)
Go get it now: [1]pam_auth-0.2.tar.gz
TODO
* Add ability to change passwords (dangerous!)
* Figure out why the shared module won't load
* Add option to not require a valid account entry (i.e. make sure
they don't have to have the ability to log in)
What is it?
This is a PHP4 extension that will allow you to simply and easily use
php to authenticate via PAM.
What is PAM?
PAM stands for Pluggable Authentication Module. It is a system that
abstracts user authentication to allow arbitrary modules to handle the
real work. In this way, pam enabled services can use a variety of
complex authentication schemes without modifying the applications. For
more Information, and available modules, see
[2]http://www.kernel.org/pub/linux/libs/pam/.
Why would I want to use PAM from PHP?
PAM gives you very flexible control over authentication. As an
example, there are PAM modules that will authenticate against a local
shadow or password file, a Windows NT domain, an SQL database, LDAP,
Kerberos, Radius, and more. In addition, pam modules can give you the
ability to have restrictions on the authentication, such as the
pam_tally module which limits the number of login attempts, and the
pam_listfile which let's you restrict access to a list of users.
Please note, using pam does not mean you can securely authenticate
users, it simply gives you the ability to do so with proper
configuration and planning.
How can I get pam?
If you are running linux or solaris, you already have it! Linux and
Solaris both natively use pam for all authentication, so you're are
all set. If you are on other systems, well, you're on your own. I have
no idea what PAM has been ported too...
Isn't there already a php pam module?
Yep, you can find it at [3]ftp://ftp.netexpress.net/pub/pam/.
So, why another one?
The above module is an excellent wrapper to the PAM API. However, for
projects at work, I don't need the PAM API, I simply need to
authenticate users. I figure 90% of other people out there also just
want to authenticate. So, I wrote this to do that and that only,
simply and without fuss. It consists of only one function, pam_auth()
which will return true if the user is authenticated, or false if not.
False will also issue a warning with the reason given for failure. If
you need any of the more advanced features of PAM, get the module
above.
Where can I get it?
Right here! [4]pam_auth-0.1.tar.gz
How do I Install it?
Very easily! Simply untar the file, and copy it to your php source
directory in the ext/ subdirectory. In the top level of the source
directory, run the buildconf script (i.e. ./buildconf). Then, simply
build as usualy, specifying the --with-pam_auth flag to build it in.
In the near future I will put up instructions for building a shared
module, and make binary loadable modules available for Solaris and
Linux.
How do I configure it?
There isn't much to configuring the extension. The default pam
servicename is php, as of version 0.2 you can change this in the
php.ini by adding an entry such as:
pam_auth.servicename = "whatever";
You will also need to configure pam if you expect this to do anything
interesting, pam must know about your service and what it's allowed to
do. This requires root access to the web server. If you don't have
root access to the machine you want to set this up on, you are out of
luck. If you are using linux, at least redhat, you can copy
/etc/pam.d/login to /etc/pam.d/php (or whatever you chose for the
servicename) which will give php the same authentication rules as
telnet and rlogin. Under Solaris you'll need to add entries to
/etc/pam.conf, again you can base this on other entries. Please note,
I strongly advice that you read through the pam docs at
[5]http://www.kernel.org/pub/linux/libs/pam/ so that you have a clear
concept of what you're doing and how secure it is, specifically read
the System Administrators Guide in the online documentation. This
information is mostly valid for Solaris as well.
For the lazy...
Linux
# /etc/pam.d/php
#
# note: both an auth and account entry are required
auth sufficient /lib/security/pam_pwdb.so shadow nodelay
account sufficient /lib/security/pam_pwdb.so
Solaris
# add to /etc/pam.conf
php auth required /usr/lib/security/pam_unix.so.1
php account required /usr/lib/security/pam_unix.so.1
How do I use it?
It's very easy! Here's an example that demonstrates all the
funcionatlity...
if (pam_auth($username, $password, &$error)) {
echo "Yeah baby, we're authenticated!";
} else {
echo $error;
}
See, wasn't that easy? The function itself returns either true or
false. The third argument is optional, if supplied it must be passed
by reference (the & before it..). If the authentication fails, the
error message returned by pam will be written to that variable.
Will it work with both the CGI and Module version of PHP?
Yep, it will work with either.
I keep getting the error "Authentication failure", what does that mean?
The most likely reason for this is that you are trying to authenticate
via a local shadow file and you do not have permission to do so. The
PAM modules handling shadow authentication (used on Linux and Solaris)
require that the application have permission to read the shadow file
(makes sense, eh?). If you are running php as a cgi or as a webserver
module, it is executed as your webservers user and group. By default,
most Linux and Solaris systems are configured to only allow the root
user to read the shadow file. The recommended way around this is to
change permissions on the shadow file so that it is group readable,
and chgrp the file to the a group that the webserver is in. Before
doing this, you should give it some serious thought as allowing your
webserver to read the shadow file gives hackers another way to crack
away at your system. If you decide to enable this, I stronly suggest
usage of the pam_tally module to limit failed logins to a reasonable
number of attempts, and one of the other modules which will allow you
to block root and other system users.
The pam_auth function doesn't return anything, whattup?
Did you remember to create an entry in the pam configuration for the
php service? Huh huh, did ya?
Logs indicate pam authenticated the user, but the function doesn't return
true, what gives?
Make sure your pam configuration has an entry for both auth and
account, if you do not have both, it will not work.
I have a hosted account, can I use this?
The best answer I can give is maybe... Since this can be built as a
dynamically loadable module, you can load it yourself provided your
hosting company allows you to do so. However, to use this you must
configure pam, which your provider would have to do for you. I'm
betting not many will... Theoretically, one could change the
servicename in the source to an existing service that already is
configure for pam, however your hosting provider might not like
that... In the next release I will make the servicename configurable
in the php.ini.
Can I use it with PHP3?
Not currently... It wouldn't be tough to backport it to PHP3, I just
haven't done it. I might one of these days... Or if you want to, let
me know :)
I tried it, but I get an error about a call to undefined function. What
gives?
For some reason, newer version of php4 do not always seem to properly
update the autoconf stuff when your run the buildconf script. If you
get this error, configure php again and then look through the autoconf
output and look for a line that says "Checking for Pam Auth support:
yes". If you don't see it, it isn't getting built in. To fix this, run
the command 'autoconf' in the top level php source directory, this
should update the configure script to recognize the pam auth stuff.
Run configure again and check for the verification in the output.
Can I use it as a dynamically loadable shared module?
Not yet, I haven't figure out why. As soon as I can get it to work I
will make that version 0.3...
Couldn't you just do this with the pam extension and some php user code?
Yep... But, I wanted something clean without a lot of user space php
code laying around, and that anyone could use without having to worry
about how the PAM API works.
Can I email you for help?
If you have a problem directly related to the pam_auth extension, such
as it won't build, or you have comments/suggestions, feel free to
email me. However, I will not answer general questions about PAM, or
about how to build php sites that handle authentication, such
questions should be directed to the appropriate mailing lists.
Why is this webpage so ugly and boring?
Because I'm lazy.
_________________________________________________________________
Last Updated: 3-5-01 [6]ccunning@math.ohio-state.edu
References
1. http://www.math.ohio-state.edu/~ccunning/download.php/pam_auth-0.2.tar.gz
2. http://www.kernel.org/pub/linux/libs/pam/
3. ftp://ftp.netexpress.net/pub/pam/
4. http://www.math.ohio-state.edu/~ccunning/download.php/pam_auth-0.2.tar.gz
5. http://www.kernel.org/pub/linux/libs/pam/
6. mailto:ccunning@math.ohio-state.edu
distrib
>
Mandriva
>
9.1
>
ppc
>
media
>
contrib
>
by-pkgid
>
a372261ef3d5a6f608b7de40cb136ebe
>
files
>
5
