Yes, the Debian (sid) pam.d file for apache 2.x is /etc/pam.d/apache2 (/etc/pam.d/httpd is for apache 1.x). Although I do have a quick update. I added my apache user (www-data on Debian) to the shadow group: % ls -l /etc/shadow -rw-r----- 1 root shadow 910 Nov 11 22:37 /etc/shadow In addition, I removed all mapping security constraints from /etc/ypserv.conf (yes, this is bad, but I'm just trying to get it to work and then go from there): # Host : Map : Security : Passwd_mangle * : * : none In this event, people in the NIS directory can successfully authenticate via mod_auth_pam. However, this is quite bad, as any user can now get access to the encrypted passwords in NIS: % ypcat shadow.byname ... test:XXXXXXXXXXXXX:12367:0:99999:7::: ... However, if I take access away from /etc/shadow, OR if I ratchet down ypserv.conf again, things go back to not working. Is there any way to get this to work without giving NIS shadow access away to everyone (thereby defeating the purpose of the shadow database altogether)? I can't think of a way, but if someone else knows, I'm all ears. Since I deemed leaving my shadow fly unzipped as unacceptable (for the time being), I revoked access to the shadow DB's and thought I had found a good compromise in pam_dotfile (a PAM module which allows users to create distinct passwords for different services at their own discretion). I installed and configured this with no problem (changing the appropriate entries in common-auth). However, now when I attempt to authenticate via Apache, the authentication works, but the account data retrieval doesn't (and Apache still returns a failed authentication). Here's the entry from my /var/log/auth.log file: Nov 12 01:45:25 kanga apache2(pam_dotfile)[23099]: Authentication successful for user <test> But here's the entry in /var/log/apache2/error.log: [Wed Nov 12 01:45:25 2003] [error] [client 192.168.1.33] PAM: user 'matt' - invalid account: Authentication service cannot retrieve authentication info. By the way, for those of you who are unfamiliar with it, pam_dotfile is only an auth module. It does not provide any services for account, session, etc. Any ideas here (on either subject) would (again) be greatly appreciated. --Matt On Wed, 12 Nov 2003, Ingo Tag wrote: >Date: Wed, 12 Nov 2003 10:33:49 +0100 >From: Ingo Tag <ingo@xxxxxxxxxxxxxx> >Reply-To: pam-list@xxxxxxxxxx >To: pam-list@xxxxxxxxxx >Subject: Re: NIS + mod_auth_pam + Apache2 + Debian > >On Wed, Nov 12, 2003 at 12:08:27AM -0800, Matt Bogosian wrote: >> Here's my /etc/pam.d/apache2: > >That should be /etc/pam.d/httpd, unless Debians package changed the >defaults. > > >-- >Ingo > > > > >_______________________________________________ > >Pam-list@xxxxxxxxxx >https://www.redhat.com/mailman/listinfo/pam-list > > _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
