Digging into this more, I have learned that the pam calls in the pam.py module use the username than is trying to authenticate and pwauth requires the www-data userid. There is some other magic with apache2/mod-authnz-external that makes this work with htaccess. I tried adding a pam_set_item(PAM_RUSER, 'www-data') to pam.py, which works:
Feb 16 16:28:21 tibs2 apache2: pam_unix(pwauth:auth): authentication failure; logname= uid=33 euid=33 tty= ruser=www-data rhost= user=kwebb but the authentication is still failing, so I clearly do not understand how pam works yet, but I do desire that web2py use pam w/o needing to add www-data to the shadow group in /etc/group. On Tuesday, February 16, 2016 at 2:42:54 PM UTC-7, kw...@teradactyl.com wrote: > > 'm trying to get UNIX logins working using pam. I was able to get the > user login to work if I add www-data to the shadow group. To get this > working, I had to add www-data to the shadow group. This is considered a > bad practice, and pwauth is possibly the solution. I was able to confgure > pwauth and test it with htaccess to get it working. In my apache config I > added: > > AddExternalAuth pwauth /usr/sbin/pwauth > SetExternalAuthMethod pwauth pipe > > <Directory /var/www/html/web2py> > <Files wsgihandler.py> > Order deny,allow > Allow from all > </Files> > AuthType Basic > AuthName "Restricted" > AuthBasicProvider external > AuthExternal pwauth > require valid-user > </Directory> > > Next, in gluon/contrib/login_methods, I changed the pam service in the > authenticate() call: > > return authenticate(username, password, service='pwauth') > > From /var/log/auth.log I get: > > Feb 16 14:10:27 tibs2 unix_chkpwd[11030]: check pass; user unknown > Feb 16 14:10:27 tibs2 unix_chkpwd[11030]: password check failed for user > (kwebb) > Feb 16 14:10:27 tibs2 apache2: pam_unix(pwauth:auth): authentication > failure; logname= uid=33 euid=33 tty= ruser= rhost= user=kwebb > > It works if I go back and add www-data to the shadow group in /etc/passwd. > I've also found some references to this in an Ubuntu 14.04 install > for web2py which I am trying to avoid: > > usermod -a -G shadow www-data > > Here is my pam config file for pwauth: > > # > # The PAM configuration file for the `pwauth' service > # > > # Disallows other than root logins when /etc/nologin exists > # (Replaces the `NOLOGINS_FILE' option from login.defs) > auth requisite pam_nologin.so > > # Standard Un*x authentication. > @include common-auth > > # Standard Un*x account > @include common-account > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
