Reputation: 2123
PAM authentication failing with suphp
I'm working on a script that uses PAM authentication in PHP. When I try to authenticate, it works fine for the user that owns the file, but any other user who attempts to log in will fail.
How can I get any user who has a system account to be authenticated, and not just the user who owns the file?
This is a copy of my pam configuration for php:
auth optional pam_faildelay.so delay=3000000
@include common-auth
@include common-account
@include common-session
common-auth contains:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
common-account contains:
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
common-session contains:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
This is an example of how I am making an authentication request:
if(pam_auth($username,$password)){
displayMappings();
}
else{
echo("authentication failure. Please try again.");
}
Upvotes: 1
Views: 1299
Answers (2)
Reputation: 1
Using the full pam_auth() call allows you to use options that get around the whole shadow issue, so long as you only use the most basic functionality:
$error="";
$auth = pam_auth($user,$pass,$error,false);
turns off the rest of the account checks and makes it do simple password validation.
Upvotes: 0
Reputation: 7238
PAM module pam_unix.so requires root access[1] (such as call from suid root file) to authenticate users different than current user. Current user password is verified with helper program unix_chkpwd -- it's situation you are observing.
So I would say any attempt to use PAM (pam_unix.so) directly from PHP script are doomed.
If you have to check /etc/shadow passwords then I would try to get trough saslauthd daemon configured to use shadow password database/PAM. Setup is trivial in most cases, but look at file and directory access perms of saslauth socket (somewhere in /var/run).
In PHP you can use this module or call testsaslauthd executable with user and password parameters and check it's return code.
[1] OK, shadow group probably would suffice.
Upvotes: 1
Related Questions
- pam_unix.so Prints "authentication failure" on Successful Login
- php-Authentication always fails
- CakePHP 2.5.7 - Authentication failure on login with non-standard user
- CakePHP 2.5 - Authentication doesn't work
- PHP LDAP AUTHENTICATION FAILS
- php can not authorize
- Implementing log in alongside suPHP
- PHP LDAP authentication NOT WORKING
- Basic Authentication with PHP gives an endless loop