suphp 导致 PAM 身份验证失败
我正在编写一个在 PHP 中使用 PAM 身份验证的脚本。当我尝试进行身份验证时,它对于拥有该文件的用户来说工作正常,但尝试登录的任何其他用户都会失败。
如何让拥有系统帐户的任何用户进行身份验证,而不仅仅是拥有该文件的用户?
这是我的 php pam 配置的副本:
auth optional pam_faildelay.so delay=3000000
@include common-auth
@include common-account
@include common-session
common-auth contains:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
common-account contains:
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
common-session contains:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
这是我如何发出身份验证请求的示例:
if(pam_auth($username,$password)){
displayMappings();
}
else{
echo("authentication failure. Please try again.");
}
I'm working on a script that uses PAM authentication in PHP. When I try to authenticate, it works fine for the user that owns the file, but any other user who attempts to log in will fail.
How can I get any user who has a system account to be authenticated, and not just the user who owns the file?
This is a copy of my pam configuration for php:
auth optional pam_faildelay.so delay=3000000
@include common-auth
@include common-account
@include common-session
common-auth contains:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
common-account contains:
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
common-session contains:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
This is an example of how I am making an authentication request:
if(pam_auth($username,$password)){
displayMappings();
}
else{
echo("authentication failure. Please try again.");
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
PAM 模块 pam_unix.so 需要 root 访问权限[1](例如从 suid root 文件调用)来验证与当前用户不同的用户。当前用户密码是通过帮助程序 unix_chkpwd 进行验证的——这就是您正在观察的情况。
所以我想说,任何直接从 PHP 脚本使用 PAM (pam_unix.so) 的尝试都是注定要失败的。
如果您必须检查 /etc/shadow 密码,那么我会尝试通过配置为使用影子密码数据库/PAM 的 saslauthd 守护进程。在大多数情况下,设置很简单,但请查看 saslauth 套接字的文件和目录访问权限(位于 /var/run 中的某个位置)。
在 PHP 中,您可以使用 此模块 或使用用户名和密码参数调用 testaslauthd 可执行文件并检查其返回代码。
[1] 好吧,影子小组可能就足够了。
PAM module pam_unix.so requires root access[1] (such as call from suid root file) to authenticate users different than current user. Current user password is verified with helper program unix_chkpwd -- it's situation you are observing.
So I would say any attempt to use PAM (pam_unix.so) directly from PHP script are doomed.
If you have to check /etc/shadow passwords then I would try to get trough saslauthd daemon configured to use shadow password database/PAM. Setup is trivial in most cases, but look at file and directory access perms of saslauth socket (somewhere in /var/run).
In PHP you can use this module or call testsaslauthd executable with user and password parameters and check it's return code.
[1] OK, shadow group probably would suffice.
使用完整的
pam_auth()调用允许您使用解决整个影子问题的选项,只要您只使用最基本的功能:关闭其余的帐户检查并使其执行简单的密码验证。
Using the full
pam_auth()call allows you to use options that get around the whole shadow issue, so long as you only use the most basic functionality:turns off the rest of the account checks and makes it do simple password validation.