I have modified mod_auth_pam to allow for per directory configuration of
the pam authentication to use, either in a .htaccess file or in the
httpd.conf file.
This is done by using a new PAM_Service directive to specify which config
in /etc/pam.d to use - the default being httpd.
We use this where part of our website is only accessible to people who are
either dialled in and authenticated via radius or are in a list of
upgraded users. PAM is the easiest way to achieve this, because of the dynamic
nature of the authentication yet other parts of the website are accessible
to all users, but they need to authenticate against PAM.
I feel that this will be of immense benefit to people who want to use
mod_auth_pam in an environment where different authentication mechanisms
are to be used by different websites or parts of websites - like we do.
I enclose a diff file to patch mod_auth_pam version 1.0a for your
consideration. One point to note is the restriction of servicename to 40
characters, and another is the possible security implication of the
strncpy - both of which are beyond my limited knowledge of Linux C programming and for
which I defer to your greater knowledge and experience.
Lance Davis
uklinux.net
*** mod_auth_pam.c.orig Sun Feb 13 22:16:57 2000
--- mod_auth_pam.c Wed Dec 6 02:04:23 2000
***************
*** 6,12 ****
*/
/*
! * v 1.0a from 13-Feb-2000
*
* mod_auth_pam:
* basic authentication against pluggable authentication module lib
--- 6,12 ----
*/
/*
! * v 1.0a-2 from 06-Dec-2000
*
* mod_auth_pam:
* basic authentication against pluggable authentication module lib
***************
*** 21,26 ****
--- 21,30 ----
* based upon mod_auth.c
*
* Changes:
+ * 06-Dec-00: Lance Davis <lance@uklinux.net>
+ * Added support for per directory pam configuration in .htaccess file or httpd.conf
+ * using PAM_Service directive
+ *
* 06-Dec-99: Special casing for Solaris 2.6 added
* Added versioning message to headers
* 14-Feb-99: Cleaned up the configuration directives and named them
***************
*** 97,102 ****
--- 101,112 ----
* Defaults to off
*
* AuthPAM_Authorative on|off DEPRECATED
+ *
+ * AuthPAM_Service servicename servicename specifies the pam configuration module
+ * to use within the context defined. Default is to use
+ * /etc/pam.d/httpd - maxc length is 40 chars - any more
+ * are ignored and the directive will fail.
+ *
*/
#include <unistd.h>
***************
*** 116,122 ****
module pam_auth_module;
static const char
- *pam_servicename = "httpd",
*valid_user = "valid-user";
typedef struct {
--- 126,131 ----
***************
*** 154,159 ****
--- 163,169 ----
can't find the username (defaults to 0) */
enabled; /* 1 to use mod_auth_pam, 0 otherwise
(defaults to 1) */
+ char service[41];
} auth_pam_dir_config;
void auth_pam_init(server_rec *s, pool *p)
***************
*** 170,175 ****
--- 180,186 ----
new->fail_delay = 0; /* 0 ms */
new->fall_through = 0; /* off */
new->enabled = 1; /* on */
+ strcpy(new->service,"httpd");
return new;
}
***************
*** 195,200 ****
--- 206,217 ----
return NULL;
}
+ static char* auth_service(cmd_parms *cmd, auth_pam_dir_config *config, char *arg)
+ {
+ strncpy(config->service,arg,40);
+ return NULL;
+ }
+
static command_rec auth_pam_cmds[] = {
{ "AuthFailDelay", (const char*(*)())auth_fail_delay, 0, OR_AUTHCFG, TAKE1,
"number of micro seconds to wait after failed authentication attempt. defau
***************
*** 206,211 ****
--- 223,231 ----
one fails; default is off" },
{ "AuthPAM_Enabled", (const char*(*)())auth_enable, NULL, OR_AUTHCFG, FLAG,
"on|off - determines if PAM authentication is enabled; default is on" },
+ { "AuthPAM_Service", (const char*(*)())auth_service, NULL, OR_AUTHCFG, TAKE1,
+ "service defines which pam service to use ; default is httpd" },
+
{ 0 }
};
***************
*** 383,389 ****
userinfo.name = r->connection->user;
/* initialize pam */
! if((res = pam_start(pam_servicename,
userinfo.name,
&conv_info,
&pamh)) != PAM_SUCCESS) {
--- 403,409 ----
userinfo.name = r->connection->user;
/* initialize pam */
! if((res = pam_start(conf->service,
userinfo.name,
&conv_info,
&pamh)) != PAM_SUCCESS) {
