mod_auth_pam fallthrough always fails (because mod_auth_pam never returns PAM_USER_UNKNOWN)

Bug #2913 reported by Christian Reis on 2005-10-06
10
Affects Status Importance Assigned to Milestone
libapache-mod-auth-pam (Ubuntu)
Medium
MOTU

Bug Description

At Async we use mod_auth_pam with fallthrough. The configuration looks like this:

    <Directory "/mondo/htdocs/async/wa/teia">
        AuthPAM_FallThrough on
        AuthUserFile /mondo/htdocs/async/clients/teia/.htpasswd
        Order Deny,Allow
        Deny from all
        Allow from 127.0.0.1
        AuthName "Teia secure area"
        AuthType Basic
        Require valid-user
        Satisfy Any
    </Directory>

In other words, we want to:

  - Allow connections from 127.0.0.1
  - Use PAM authentication for other hosts
  - Failing that, use regular mod_auth for anything else

In the default Ubuntu and Debian configurations, this doesn't work.

Christian Reis (kiko) wrote :

The reason this fails is because our configuration of PAM makes mod_auth_pam never return DECLINED. The reason is that pam_authenticate() seems to never return PAM_USER_UNKNOWN. IIRC it always returns PAM_AUTH_ERR, and this email seems to confirm it:

http://archives.neohapsis.com/archives/pam-list/2001-03/0060.html

The reply to that email, at

http://archives.neohapsis.com/archives/pam-list/2001-03/0059.html

seems to indicate it's a bug in the pam configuration. I'm not so sure it is, but if it is, it's broken in Debian and Ubuntu because I never changed anything in /etc/pam.d/.

Changed in libapache-mod-auth-pam:
assignee: nobody → motu
Christian Reis (kiko) wrote :

The following patch works around the issue:

kiko@anthem:/mondo/src/APACHE/mod_auth_pam-1.1.1$ diff -u mod_auth_pam.c-orig mod_auth_pam.c
--- mod_auth_pam.c-orig 2004-08-27 15:22:01.000000000 -0300
+++ mod_auth_pam.c 2004-08-27 15:31:57.000000000 -0300
@@ -370,7 +370,7 @@
   if((res = pam_authenticate(pamh, PAM_DISALLOW_NULL_AUTHTOK)) !=
      PAM_SUCCESS ) {
     ap_log_reason((char*)compat_pam_strerror(pamh, res), r->uri, r);
- if(conf->fall_through && (res == PAM_USER_UNKNOWN)) {
+ if(conf->fall_through) {
       /* we don't know about the user, but other auth modules might do */
       pam_end(pamh, PAM_SUCCESS);
       return DECLINED;

I say works around because we really should only fall through if the user is unknown; it does work, though.

Oh, silly me, we mangle attachments. I'm reattaching a diff.

At any rate, the error message you get when failing is also pretty mangled -- there's a description of the problem and a patch at http://archives.neohapsis.com/archives/pam-list/2004-05/0034.html

Changed in libapache-mod-auth-pam:
status: New → Accepted
Jeoff (jeoffwilks) wrote :

I encountered this same problem, so for those just searching for the workaround, I found the solution buried in the README file for the package libapache-mod-auth-pam 1.1.1-7.1 package.
http://hanzubon.jp/ubuntu/pool/universe/liba/libapache-mod-auth-pam/libapache-mod-auth-pam_1.1.1-7.1.diff.gz

The short answer is, mod_auth is handling your "require" statements *before* mod_auth_pam, so you have to tell it to give other modules a chance by setting "AuthAuthoritative Off".
http://httpd.apache.org/docs/2.0/mod/mod_auth.html#authauthoritative

The mod_auth_pam documentation says to use "AuthPAM_FallThrough on" to allow other modules a chance to provide authentication info. That only works if mod_auth_pam is handling requests *before* mod_auth.

Steve Kowalik (stevenk) wrote :

I can see there is nothing for ubuntu-universe-sponsors to upload, so I am ubsubscribing them from this bug.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers