[web2py] apache2/pam/pwauth to remove www-data from shadow group

Tue, 16 Feb 2016 13:43:43 -0800 

'm trying to get UNIX logins working using pam.  I was able to get the user 
login to work if I add www-data to the shadow group.  To get this working, 
I had to add www-data to the shadow group.  This is considered a bad 
practice, and pwauth is possibly the solution.  I was able to confgure 
pwauth and test it with htaccess to get it working.  In my apache config I 
added:

  AddExternalAuth pwauth /usr/sbin/pwauth
  SetExternalAuthMethod pwauth pipe

  <Directory /var/www/html/web2py>
    <Files wsgihandler.py>
      Order deny,allow
      Allow from all
    </Files>
    AuthType Basic
    AuthName "Restricted"
    AuthBasicProvider external
    AuthExternal pwauth
    require valid-user
  </Directory>

Next, in gluon/contrib/login_methods, I changed the pam service in the 
authenticate() call:

    return authenticate(username, password, service='pwauth')

>From /var/log/auth.log I get:

Feb 16 14:10:27 tibs2 unix_chkpwd[11030]: check pass; user unknown
Feb 16 14:10:27 tibs2 unix_chkpwd[11030]: password check failed for user 
(kwebb)
Feb 16 14:10:27 tibs2 apache2: pam_unix(pwauth:auth): authentication 
failure; logname= uid=33 euid=33 tty= ruser= rhost= user=kwebb

It works if I go back and add www-data to the shadow group in /etc/passwd. 
 I've also found some references to this in an Ubuntu 14.04 install
for web2py which I am trying to avoid:

usermod -a -G shadow www-data

Here is my pam config file for pwauth:

#
# The PAM configuration file for the `pwauth' service
#

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so

# Standard Un*x authentication.
@include common-auth

# Standard Un*x account
@include common-account

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to