Browse Source

[mod_authn_pam] mod_auth PAM support (fixes #688)

x-ref:
  "auth via pam"
  https://redmine.lighttpd.net/issues/688
personal/stbuehler/fix-fdevent
Glenn Strauss 3 years ago
parent
commit
df4812ec2e
  1. 9
      SConstruct
  2. 28
      configure.ac
  3. 5
      meson_options.txt
  4. 15
      src/CMakeLists.txt
  5. 11
      src/Makefile.am
  6. 3
      src/SConscript
  7. 21
      src/meson.build
  8. 185
      src/mod_authn_pam.c
  9. 5
      src/server.c

9
SConstruct

@ -330,6 +330,7 @@ if 1:
LIBLUA = '',
LIBMEMCACHED = '',
LIBMYSQL = '',
LIBPAM = '',
LIBPCRE = '',
LIBPGSQL = '',
LIBSASL = '',
@ -580,6 +581,14 @@ if 1:
LIBCRYPTO = 'crypto',
)
if env['with_pam']:
if not autoconf.CheckLibWithHeader('pam', 'security/pam_appl.h', 'C'):
fail("Couldn't find pam")
autoconf.env.Append(
CPPFLAGS = [ '-DHAVE_PAM' ],
LIBPAM = 'pam',
)
if env['with_pcre']:
pcre_config = autoconf.checkProgram('pcre', 'pcre-config')
if not autoconf.CheckParseConfigForLib('LIBPCRE', pcre_config + ' --cflags --libs'):

28
configure.ac

@ -425,6 +425,31 @@ if test "$WITH_LDAP" != no; then
fi
AM_CONDITIONAL([BUILD_WITH_LDAP], [test "$WITH_LDAP" != no])
dnl Check for PAM
AC_MSG_NOTICE([----------------------------------------])
AC_MSG_CHECKING(for PAM support)
AC_ARG_WITH([pam],
[AC_HELP_STRING([--with-pam],[enable PAM support])],
[WITH_PAM=$withval],
[WITH_PAM=no]
)
AC_MSG_RESULT([$withval])
if test "$WITH_PAM" != "no"; then
AC_CHECK_LIB([pam], [pam_start],
[AC_CHECK_HEADERS([security/pam_appl.h],[
PAM_LIB=-lpam
AC_DEFINE([HAVE_PAM], [1], [libpam])
AC_DEFINE([HAVE_SECURITY_PAM_APPL_H], [1])
],
[AC_MSG_ERROR([pam headers not found, install them or build without --with-pam])]
)],
[AC_MSG_ERROR([pam library not found, install it or build without --with-pam])]
)
AC_SUBST(PAM_LIB)
fi
AM_CONDITIONAL([BUILD_WITH_PAM], [test "$WITH_PAM" != no])
dnl Check for xattr
AC_MSG_NOTICE([----------------------------------------])
AC_MSG_CHECKING([for extended attributes support])
@ -1389,6 +1414,9 @@ lighty_track_feature "kerberos" "mod_authn_gssapi" \
lighty_track_feature "ldap" "mod_authn_ldap mod_vhostdb_ldap" \
'test "$WITH_LDAP" != no'
lighty_track_feature "pam" "mod_authn_pam" \
'test "$WITH_PAM" != no'
lighty_track_feature "network-openssl" "mod_openssl" \
'test "$WITH_OPENSSL" != no'

5
meson_options.txt

@ -63,6 +63,11 @@ option('with_openssl',
value: false,
description: 'with openssl-support [default: off]',
)
option('with_pam',
type: 'boolean',
value: false,
description: 'with PAM-support for mod_auth [default: off]',
)
option('with_pcre',
type: 'boolean',
value: true,

15
src/CMakeLists.txt

@ -25,6 +25,7 @@ option(WITH_BZIP "with bzip2-support for mod_compress [default: off]")
option(WITH_ZLIB "with deflate-support for mod_compress [default: on]" ON)
option(WITH_KRB5 "with Kerberos5-support for mod_auth [default: off]")
option(WITH_LDAP "with LDAP-support for mod_auth mod_vhostdb_ldap [default: off]")
option(WITH_PAM "with PAM-support for mod_auth [default: off]")
option(WITH_LUA "with lua 5.1 for mod_magnet [default: off]")
# option(WITH_VALGRIND "with internal support for valgrind [default: off]")
option(WITH_FAM "fam/gamin for reducing number of stat() calls [default: off]")
@ -469,6 +470,14 @@ else()
unset(HAVE_LIBLBER)
endif()
if(WITH_PAM)
check_include_files(security/pam_appl.h HAVE_SECURITY_PAM_APPL_H)
check_library_exists(pam pam_start "" HAVE_PAM)
else()
unset(HAVE_SECURITY_PAM_APPL_H)
unset(HAVE_PAM)
endif()
if(WITH_LUA)
pkg_search_module(LUA REQUIRED lua5.3 lua-5.3 lua5.2 lua-5.2 lua5.1 lua-5.1 lua)
message(STATUS "found lua at: INCDIR: ${LUA_INCLUDE_DIRS} LIBDIR: ${LUA_LIBRARY_DIRS} LDFLAGS: ${LUA_LDFLAGS} CFLAGS: ${LUA_CFLAGS}")
@ -790,6 +799,12 @@ if(WITH_LDAP)
target_link_libraries(mod_vhostdb_ldap ${L_MOD_AUTHN_LDAP})
endif()
if(WITH_PAM)
add_and_install_library(mod_authn_pam "mod_authn_pam.c")
set(L_MOD_AUTHN_PAM ${L_MOD_AUTHN_PAM} pam)
target_link_libraries(mod_authn_pam ${L_MOD_AUTHN_PAM})
endif()
if(WITH_SASL)
add_and_install_library(mod_authn_sasl "mod_authn_sasl.c")
set(L_MOD_AUTHN_SASL ${L_MOD_AUTHN_SASL} sasl2)

11
src/Makefile.am

@ -342,6 +342,13 @@ mod_authn_ldap_la_LDFLAGS = $(common_module_ldflags)
mod_authn_ldap_la_LIBADD = $(LDAP_LIB) $(LBER_LIB) $(common_libadd)
endif
if BUILD_WITH_PAM
lib_LTLIBRARIES += mod_authn_pam.la
mod_authn_pam_la_SOURCES = mod_authn_pam.c
mod_authn_pam_la_LDFLAGS = $(common_module_ldflags)
mod_authn_pam_la_LIBADD = $(PAM_LIB) $(common_libadd)
endif
if BUILD_WITH_MYSQL
lib_LTLIBRARIES += mod_authn_mysql.la
mod_authn_mysql_la_SOURCES = mod_authn_mysql.c
@ -483,6 +490,10 @@ if BUILD_WITH_LDAP
lighttpd_SOURCES += mod_authn_ldap.c mod_vhostdb_ldap.c
lighttpd_LDADD += $(LDAP_LIB) $(LBER_LIB)
endif
if BUILD_WITH_PAM
lighttpd_SOURCES += mod_authn_pam.c
lighttpd_LDADD += $(PAM_LIB)
endif
if BUILD_WITH_MYSQL
lighttpd_SOURCES += mod_authn_mysql.c mod_mysql_vhost.c mod_vhostdb_mysql.c
lighttpd_CPPFLAGS += $(MYSQL_INCLUDE)

3
src/SConscript

@ -148,6 +148,9 @@ if env['with_lua']:
'lib' : [ env['LIBMEMCACHED'], env['LIBLUA'] ]
}
if env['with_pam']:
modules['mod_authn_pam'] = { 'src' : [ 'mod_authn_pam.c' ], 'lib' : [ env['LIBPAM'] ] }
if env['with_pcre'] and (env['with_memcached'] or env['with_gdbm']):
modules['mod_trigger_b4_dl'] = { 'src' : [ 'mod_trigger_b4_dl.c' ], 'lib' : [ env['LIBPCRE'], env['LIBMEMCACHED'], env['LIBGDBM'] ] }

21
src/meson.build

@ -316,6 +316,21 @@ if get_option('with_ldap')
conf_data.set('HAVE_LIBLBER', true)
endif
libpam = []
if get_option('with_pam')
libpam = [ compiler.find_library('pam') ]
if not(compiler.has_function('pam_start',
args: defs,
dependencies: libpam,
prefix: '''
#include <security/pam_appl.h>
'''
))
error('Couldn\'t find security/pam_appl.h or pam_start in lib libpam')
endif
conf_data.set('HAVE_PAM', true)
endif
libev = []
if get_option('with_libev')
libev = dependency('ev', required: false)
@ -838,6 +853,12 @@ if get_option('with_openssl')
]
endif
if get_option('with_pam')
modules += [
[ 'mod_authn_pam', [ 'mod_authn_pam.c' ], libpam ],
]
endif
if get_option('with_sasl')
modules += [
[ 'mod_authn_sasl', [ 'mod_authn_sasl.c' ], libsasl2 ],

185
src/mod_authn_pam.c

@ -0,0 +1,185 @@
#include "first.h"
/* mod_authn_pam
*
* FUTURE POTENTIAL PERFORMANCE ENHANCEMENTS:
* - database response is not cached
* TODO: db response caching (for limited time) to reduce load on db
* (only cache successful logins to prevent cache bloat?)
* (or limit number of entries (size) of cache)
* (maybe have negative cache (limited size) of names not found in database)
* - database query is synchronous and blocks waiting for response
*/
#include <security/pam_appl.h>
#include "base.h"
#include "http_auth.h"
#include "log.h"
#include "plugin.h"
#include <stdlib.h>
#include <string.h>
typedef struct {
array *opts;
const char *service;
} plugin_config;
typedef struct {
PLUGIN_DATA;
plugin_config **config_storage;
plugin_config conf;
} plugin_data;
static handler_t mod_authn_pam_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw);
INIT_FUNC(mod_authn_pam_init) {
static http_auth_backend_t http_auth_backend_pam =
{ "pam", mod_authn_pam_basic, NULL, NULL };
plugin_data *p = calloc(1, sizeof(*p));
/* register http_auth_backend_pam */
http_auth_backend_pam.p_d = p;
http_auth_backend_set(&http_auth_backend_pam);
return p;
}
FREE_FUNC(mod_authn_pam_free) {
plugin_data *p = p_d;
if (!p) return HANDLER_GO_ON;
if (p->config_storage) {
for (size_t i = 0; i < srv->config_context->used; ++i) {
plugin_config *s = p->config_storage[i];
if (NULL == s) continue;
array_free(s->opts);
free(s);
}
free(p->config_storage);
}
free(p);
UNUSED(srv);
return HANDLER_GO_ON;
}
SETDEFAULTS_FUNC(mod_authn_pam_set_defaults) {
plugin_data *p = p_d;
config_values_t cv[] = {
{ "auth.backend.pam.opts", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION },
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
};
p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
for (size_t i = 0; i < srv->config_context->used; ++i) {
data_config const *config = (data_config const*)srv->config_context->data[i];
data_string *ds;
plugin_config *s = calloc(1, sizeof(plugin_config));
s->opts = array_init();
cv[0].destination = s->opts;
p->config_storage[i] = s;
if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
return HANDLER_ERROR;
}
if (0 == s->opts->used) continue;
ds = (data_string *)
array_get_element_klen(s->opts, CONST_STR_LEN("service"));
s->service = (NULL != ds) ? ds->value->ptr : "http";
}
if (p->config_storage[0]->service == NULL)
p->config_storage[0]->service = "http";
return HANDLER_GO_ON;
}
#define PATCH(x) \
p->conf.x = s->x;
static int mod_authn_pam_patch_connection(server *srv, connection *con, plugin_data *p) {
plugin_config *s = p->config_storage[0];
PATCH(service);
/* skip the first, the global context */
for (size_t i = 1; i < srv->config_context->used; ++i) {
data_config *dc = (data_config *)srv->config_context->data[i];
/* condition didn't match */
if (!config_check_cond(srv, con, dc)) continue;
/* merge config */
s = p->config_storage[i];
for (size_t j = 0; j < dc->value->used; ++j) {
data_unset *du = dc->value->data[j];
if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.pam.opts"))) {
PATCH(service);
}
}
}
return 0;
}
#undef PATCH
static int mod_authn_pam_fn_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) {
const char * const pw = (char *)appdata_ptr;
struct pam_response * const pr = *resp =
(struct pam_response *)malloc(num_msg * sizeof(struct pam_response));
for (int i = 0; i < num_msg; ++i) {
const int style = msg[i]->msg_style;
pr[i].resp_retcode = 0;
pr[i].resp = (style==PAM_PROMPT_ECHO_OFF || style==PAM_PROMPT_ECHO_ON)
? strdup(pw)
: NULL;
}
return PAM_SUCCESS;
}
static handler_t mod_authn_pam_query(server *srv, connection *con, void *p_d, const buffer *username, const char *realm, const char *pw) {
plugin_data *p = (plugin_data *)p_d;
pam_handle_t *pamh = NULL;
struct pam_conv conv = { mod_authn_pam_fn_conv, NULL };
const int flags = PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK;
int rc;
UNUSED(realm);
*(const char **)&conv.appdata_ptr = pw; /*(cast away const)*/
mod_authn_pam_patch_connection(srv, con, p);
rc = pam_start(p->conf.service, username->ptr, &conv, &pamh);
if (PAM_SUCCESS != rc
|| PAM_SUCCESS !=(rc = pam_set_item(pamh,PAM_RHOST,con->dst_addr_buf->ptr))
|| PAM_SUCCESS !=(rc = pam_authenticate(pamh, flags))
|| PAM_SUCCESS !=(rc = pam_acct_mgmt(pamh, flags)))
log_error_write(srv, __FILE__, __LINE__, "ss",
"pam:", pam_strerror(pamh, rc));
pam_end(pamh, rc);
return (PAM_SUCCESS == rc) ? HANDLER_GO_ON : HANDLER_ERROR;
}
static handler_t mod_authn_pam_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw) {
char *realm = require->realm->ptr;
handler_t rc = mod_authn_pam_query(srv, con, p_d, username, realm, pw);
if (HANDLER_GO_ON != rc) return rc;
return http_auth_match_rules(require, username->ptr, NULL, NULL)
? HANDLER_GO_ON /* access granted */
: HANDLER_ERROR;
}
int mod_authn_pam_plugin_init(plugin *p);
int mod_authn_pam_plugin_init(plugin *p) {
p->version = LIGHTTPD_VERSION_ID;
p->name = buffer_init_string("authn_pam");
p->data = NULL;
p->init = mod_authn_pam_init;
p->cleanup = mod_authn_pam_free;
p->set_defaults= mod_authn_pam_set_defaults;
return 0;
}

5
src/server.c

@ -588,6 +588,11 @@ static void show_features (void) {
#else
"\t- LDAP support\n"
#endif
#ifdef HAVE_PAM
"\t+ PAM support\n"
#else
"\t- PAM support\n"
#endif
#ifdef USE_MEMCACHED
"\t+ memcached support\n"
#else

Loading…
Cancel
Save