<HTML ><HEAD ><TITLE >Tying it all together</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE=" User Authentication HOWTO " HREF="index.html"><LINK REL="PREVIOUS" TITLE="Securing User Authentication" HREF="x263.html"><LINK REL="NEXT" TITLE="Resources" HREF="x376.html"></HEAD ><BODY CLASS="SECT1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >User Authentication HOWTO</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="x263.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="x376.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A NAME="AEN316" ></A >5. Tying it all together</H1 ><P > In this section, I'll give a simple example which ought to help tie together what's in the previous section. </P ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN319" ></A >5.1. Apache + mod_auth_pam</H2 ><P > As our example, we'll install and configure mod_auth_pam, an Apache module that allows you to authenticate users of your webserver using PAM. For the purpose of this example, I'll assume you have apache installed. If it's not installed already you should be able find installation packages from your distributor. </P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN322" ></A >5.2. Our example</H2 ><P > Our goal will be to configure a restricted area of our webserver, a <TT CLASS="FILENAME" >family/</TT > directory, to authenticate users via PAM. This directory contains private family information, and should only be accessible to members of the user group family. </P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN326" ></A >5.3. Installing mod_auth_pam</H2 ><P > First, you'll want to download mod_auth_pam from <A HREF="http://blank.pages.de/pam/mod_auth_pam/" TARGET="_top" >http://blank.pages.de/pam/mod_auth_pam/</A >. The following commands will compile mod_auth_pam (you must be logged in as root): </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" > <TT CLASS="PROMPT" >~#</TT > <TT CLASS="USERINPUT" ><B >tar xzf mod_auth_pam.tar.gz</B ></TT > <TT CLASS="PROMPT" >~#</TT > <TT CLASS="USERINPUT" ><B >cd mod_auth_pam-1.0a</B ></TT > <TT CLASS="PROMPT" >~/mod_auth_pam-1.0a#</TT > <TT CLASS="USERINPUT" ><B >make</B ></TT > <TT CLASS="PROMPT" >~/mod_auth_pam-1.0a#</TT > <TT CLASS="USERINPUT" ><B >make install</B ></TT > </PRE ></FONT ></TD ></TR ></TABLE ><P > If you have any trouble installing the mod_auth_pam module, make sure you've installed your distribution's apache-dev package. After you've installed mod_auth_pam, you'll need to restart apache. Apache can usually by restarted by typing the following command (again, you must be root): </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" > <TT CLASS="PROMPT" >~#</TT > <TT CLASS="USERINPUT" ><B >/etc/init.d/apache restart</B ></TT > </PRE ></FONT ></TD ></TR ></TABLE ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN343" ></A >5.4. Configuring PAM</H2 ><P > The PAM configuration for Apache is stored in <TT CLASS="FILENAME" >/etc/pam.d/httpd</TT >. The default configuration (which was installed when you installed mod_auth_pam) is secure, but it uses a module (<TT CLASS="FILENAME" >pam_pwdb.so</TT >) which may not be available on many systems. (Besides, configuring it from scratch will be fun!) So delete the <TT CLASS="FILENAME" >/etc/pam.d/httpd</TT > file, and start with a fresh one. </P ><DIV CLASS="SECT3" ><H3 CLASS="SECT3" ><A NAME="AEN349" ></A >5.4.1. Deciding how to configure PAM</H3 ><P > If we're going to configure how PAM deals with Apache's authentication requests, we need to figure out exactly what we need PAM to check for. First, we want PAM to make sure the user's password matches their password in the standard unix password database. This sounds like the 'auth' type and the <TT CLASS="FILENAME" >pam_unix.so</TT > module. We'll want the module's control type to be set to 'required', so authentication will fail without a correct password. Here's what the first line of our <TT CLASS="FILENAME" >/etc/pam.d/httpd</TT > looks like: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" > auth required pam_unix.so </PRE ></FONT ></TD ></TR ></TABLE ><P > Secondly, we must make sure that the users account is valid (i.e. their password has not expired or any such nastiness). This is the 'account' type and is also provided by the <TT CLASS="FILENAME" >pam_unix.so</TT > module. Again, we'll set this module's control type to 'required'. After adding this line, our <TT CLASS="FILENAME" >/etc/pam.d/httpd</TT > configuration looks like this: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" > auth required pam_unix.so account required pam_unix.so </PRE ></FONT ></TD ></TR ></TABLE ><P > It's not terribly sophisticated, but it does the job. It ought to be a good start for learning how to configure PAM services. </P ></DIV ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN360" ></A >5.5. Configuring Apache</H2 ><P > Now that PAM is configured to authenticate apache's requests, we'll configure apache to properly utilize PAM authentication to restrict access to the <TT CLASS="FILENAME" >family/</TT > directory. To do so, add the following lines to your <TT CLASS="FILENAME" >httpd.conf</TT > (usually stored in <TT CLASS="FILENAME" >/etc/apache/</TT > or <TT CLASS="FILENAME" >/etc/httpd</TT >): </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" > <Directory /var/www/family> AuthPAM_Enabled on AllowOverride None AuthName "Family Secrets" AuthType "basic" require group family </Directory> </PRE ></FONT ></TD ></TR ></TABLE ><P > You may need to replace <TT CLASS="FILENAME" >/var/www/</TT > with the default location of web documents, which is often <TT CLASS="FILENAME" >/home/httpd/</TT >. Wherever that is, you'll need to create the <TT CLASS="FILENAME" >family</TT > directory. </P ><P > Before we test our setup, I'll take a moment to explain the Apache configuration you just entered. The <Directory> directive is used to encapsulate configuration data for this directory. Inside this directive, we've enabled PAM authentication ("AuthPAM_enabled on"), turned off any overriding of this configuration ("AllowOverride none"), named this authentication zone "Family Secrets" ("AuthName "Family Secrets""), set the http authentication (not the PAM authentication) type to the default ("AuthType "basic""), and required the user group family ("require group family"). </P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN373" ></A >5.6. Testing our setup</H2 ><P > Now that we've got everything setup up properly, it's time to revel in our success. Fire up your favorite web browser and head over to http://your-domain/family/ (replacing your-domain with, well, your domain). You are now an uber-authenticator! </P ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="x263.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="x376.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Securing User Authentication</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" > </TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Resources</TD ></TR ></TABLE ></DIV ></BODY ></HTML >