mod_auth_pam fallthrough always fails (because mod_auth_pam never returns PAM_USER_UNKNOWN)
Bug #2913 reported by
Christian Reis
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libapache-mod-auth-pam (Ubuntu) |
Confirmed
|
Medium
|
MOTU |
Bug Description
At Async we use mod_auth_pam with fallthrough. The configuration looks like this:
<Directory "/mondo/
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
AuthName "Teia secure area"
AuthType Basic
Require valid-user
Satisfy Any
</Directory>
In other words, we want to:
- Allow connections from 127.0.0.1
- Use PAM authentication for other hosts
- Failing that, use regular mod_auth for anything else
In the default Ubuntu and Debian configurations, this doesn't work.
Changed in libapache-mod-auth-pam: | |
status: | New → Accepted |
To post a comment you must log in.
The reason this fails is because our configuration of PAM makes mod_auth_pam never return DECLINED. The reason is that pam_authenticate() seems to never return PAM_USER_UNKNOWN. IIRC it always returns PAM_AUTH_ERR, and this email seems to confirm it:
http:// archives. neohapsis. com/archives/ pam-list/ 2001-03/ 0060.html
The reply to that email, at
http:// archives. neohapsis. com/archives/ pam-list/ 2001-03/ 0059.html
seems to indicate it's a bug in the pam configuration. I'm not so sure it is, but if it is, it's broken in Debian and Ubuntu because I never changed anything in /etc/pam.d/.