I finally resolved this. Turns out PAM is not actually calling pwauth. A
simple bit of code:
proc = subprocess.Popen('/usr/sbin/pwauth', stdin=subprocess.PIPE)
proc.communicate('%s\n%s\n'%(username, password))
return proc.returncode == 0
Does the trick. I will formalize this and remove it from the pam module
On Tuesday, February 16, 2016 at 2:42:54 PM UTC-7, [email protected]
wrote:
>
> 'm trying to get UNIX logins working using pam. I was able to get the
> user login to work if I add www-data to the shadow group. To get this
> working, I had to add www-data to the shadow group. This is considered a
> bad practice, and pwauth is possibly the solution. I was able to confgure
> pwauth and test it with htaccess to get it working. In my apache config I
> added:
>
> AddExternalAuth pwauth /usr/sbin/pwauth
> SetExternalAuthMethod pwauth pipe
>
> <Directory /var/www/html/web2py>
> <Files wsgihandler.py>
> Order deny,allow
> Allow from all
> </Files>
> AuthType Basic
> AuthName "Restricted"
> AuthBasicProvider external
> AuthExternal pwauth
> require valid-user
> </Directory>
>
> Next, in gluon/contrib/login_methods, I changed the pam service in the
> authenticate() call:
>
> return authenticate(username, password, service='pwauth')
>
> From /var/log/auth.log I get:
>
> Feb 16 14:10:27 tibs2 unix_chkpwd[11030]: check pass; user unknown
> Feb 16 14:10:27 tibs2 unix_chkpwd[11030]: password check failed for user
> (kwebb)
> Feb 16 14:10:27 tibs2 apache2: pam_unix(pwauth:auth): authentication
> failure; logname= uid=33 euid=33 tty= ruser= rhost= user=kwebb
>
> It works if I go back and add www-data to the shadow group in /etc/passwd.
> I've also found some references to this in an Ubuntu 14.04 install
> for web2py which I am trying to avoid:
>
> usermod -a -G shadow www-data
>
> Here is my pam config file for pwauth:
>
> #
> # The PAM configuration file for the `pwauth' service
> #
>
> # Disallows other than root logins when /etc/nologin exists
> # (Replaces the `NOLOGINS_FILE' option from login.defs)
> auth requisite pam_nologin.so
>
> # Standard Un*x authentication.
> @include common-auth
>
> # Standard Un*x account
> @include common-account
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
