howto get PAM authentication working with Apache and mod_authnz_external?

Question

I'm trying for 2 days now to write a custom PAM script which authenticates under Linux with sys user and pass.

I made examples in C, Python and Perl but I have the same problem with all of them.

When I test the script in my shell everything works well.

I test them with

# ./script;echo $?

And get 0 or 1 back.

But as soon as I try to use it with mod_authz_external and Apache it stops working.

Even with a valid user I get an 1 back and are not able to log in.

It seems that there is a problem with PAM and maybe the Apache environment.

I read somewhere that I have to set the environment variables to use PAM but I have no clue how.

Here are examples in C, Perl and Python:

C: http://pastebin.com/v9Yn9xvK

Perl: http://pastebin.com/cqzqztYg

Python: http://pastebin.com/32cvvCjS

Choose whatever you like, they work all the same... returning the exit code 0 or 1.

Every help or hint would be appreciated.

Thanks!

Answer 1

If you're authenticating a system user with PAM, then it's going to go through libpam_unix.so. From the manpage of pam_unix:

A helper binary, unix_chkpwd(8), is provided to check the user's password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it.

So if you want to authenticate users from a webserver, you're most likely running as user 'apache' or something like that. All pam_unix can do for you is authenticate user 'apache', which is most likely not what you want. pwauth must somehow bypass this restriction.