[Pkg-freeipa-devel] [Git][freeipa-team/mod-authnz-pam][upstream] 14 commits: Support building in copr using make srpm.
Timo Aaltonen
gitlab at salsa.debian.org
Thu Nov 12 11:15:02 GMT 2020
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / mod-authnz-pam
Commits:
67174cff by Jan Pazdziora at 2018-08-01T12:11:49+02:00
Support building in copr using make srpm.
- - - - -
daa6dbed by Jan Pazdziora at 2018-08-01T12:33:41+02:00
Promote https: scheme.
- - - - -
60077456 by Peter Oliver at 2018-12-03T11:44:04+01:00
Document new name for allow_httpd_mod_auth_pam SELinux boolean
This is named `httpd_mod_auth_pam` in RHEL 7.
- - - - -
a7c12875 by Jan Pazdziora at 2018-12-03T11:48:40+01:00
Test on the latest released (and tagged) Fedora, whichever it is.
- - - - -
656a3725 by Jan Pazdziora at 2019-03-01T11:00:38+01:00
Fedora rawhide is not stable.
Workaround
Public key for rpm-build-4.14.2.1-4.fc30.1.x86_64.rpm is not installed. Failing package is: rpm-build-4.14.2.1-4.fc30.1.x86_64
GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-31-x86_64
- - - - -
a61b4a54 by Jan Pazdziora at 2019-03-15T18:12:05+01:00
Revert "Fedora rawhide is not stable."
This reverts commit 656a372582b75014209e5fd68d40ca5403f4e7d2
since Fedora rawhide is usable again.
- - - - -
0a0cd57d by Jan Pazdziora at 2020-01-09T09:08:26+01:00
Signal success in the output, not just with exit status.
- - - - -
ca023ee5 by Jan Pazdziora at 2020-01-09T09:22:16+01:00
Add testing on CentOS 8.
- - - - -
1ba8c3bc by Jan Pazdziora at 2020-01-09T09:34:36+01:00
Allow easy rerunning tests/run.sh multiple times.
- - - - -
3f25ee81 by Jan Pazdziora at 2020-03-19T08:44:24+01:00
Related to 1760300 - move to Bionic where libseccomp handles statx.
Addressing
stat: cannot statx '/root/rpmbuild/BUILDROOT/mod_authnz_pam-1.2.0-1.fc33.localbuild.x86_64/usr/lib64/httpd/modules/mod_authnz_pam.so': Operation not permitted
- - - - -
a9b23ffa by Jake Chen at 2020-07-08T23:14:59+02:00
Harden the test, show that auth is not enough and that account is run.
- - - - -
622996a9 by Jake Chen at 2020-07-08T23:20:09+02:00
Store password to cache only after passing all PAM checks, including account.
- - - - -
025f62ad by Jan Pazdziora at 2020-07-09T16:19:25+02:00
Clarify account behaviour with AuthBasicProvider and interaction with Require pam-account.
- - - - -
093e1902 by Jan Pazdziora at 2020-07-09T16:36:58+02:00
Tagging 1.2.1 release.
- - - - -
9 changed files:
- + .copr/Makefile
- .travis.yml
- README
- mod_authnz_pam.c
- mod_authnz_pam.spec
- tests/auth.conf
- tests/config.sh
- tests/pam-exec
- tests/run.sh
Changes:
=====================================
.copr/Makefile
=====================================
@@ -0,0 +1,22 @@
+
+PACKAGE := mod_authnz_pam
+
+outdir := $(CURDIR)
+spec := $(PACKAGE).spec
+
+spec_dir := .
+ifeq ($(shell test -d $(spec) && echo true),true)
+ spec_dir = $(spec)
+ spec_file = $(spec)/$(PACKAGE).spec
+else
+ spec_dir = $(dir $(spec))
+ spec_file = $(spec)
+endif
+
+VERSION := $(shell rpm -q --qf '%{name}-%{version}\n' --specfile mod_authnz_pam.spec 2> /dev/null | head -1)
+
+srpm:
+ cd $(spec_dir) && mkdir -p .source/$(VERSION) && cp -rp * .source/$(VERSION) && cd .source && tar cvzf $(VERSION).tar.gz $(VERSION)
+ cd $(spec_dir) && rpmbuild -D '_srcrpmdir $(outdir)' -D '_sourcedir .source' -bs $(spec_file)
+ cd $(spec_dir) && rm -rf .source
+
=====================================
.travis.yml
=====================================
@@ -1,5 +1,5 @@
language: generic
-
+dist: bionic
sudo: required
services:
@@ -15,7 +15,9 @@ matrix:
- stage: build-and-test
env: fedora=rawhide
- stage: build-and-test
- env: fedora=28
+ env: fedora=latest
+ - stage: build-and-test
+ env: centos=8
- stage: build-and-test
env: centos=centos7
- stage: build-and-test
=====================================
README
=====================================
@@ -68,6 +68,31 @@ tlwiki example, file /etc/pam.d/tlwiki could be created with content
to authenticate against sssd.
+As part of the Basic Authentication operation, both PAM authentication
+and PAM account verification (auth and account in PAM service
+configuration) are run. This is to ensure that the HTTP status 401
+is returned when the user is not permitted to log in, allowing fallback
+to different authentication mechanism. That also means that for the
+above example
+
+ AuthBasicProvider PAM
+ AuthPAMService tlwiki
+
+it is not necessary to use
+
+ Require pam-account tlwiki
+
+and
+
+ Require valid-user
+
+is enough because the account verification will be run as part of the
+HTTP authentication. In fact, using Require pam-account with the same
+PAM service name will cause the account PAM checks to be run twice.
+On the other hand, it is possible to configure Require pam-account
+with different PAM service name than the AuthPAMService value and get
+two separate account PAM checks during the Basic Authentication.
+
Handling expired password:
AuthPAMExpiredRedirect <URL>
@@ -94,10 +119,10 @@ For example for FreeIPA 4.1+, the value can actually be
SELinux:
-On SELinux enabled systems, boolean allow_httpd_mod_auth_pam needs to
+On SELinux enabled systems, boolean httpd_mod_auth_pam needs to
be enabled:
- setsebool -P allow_httpd_mod_auth_pam 1
+ setsebool -P httpd_mod_auth_pam 1
Building from sources
---------------------
@@ -111,7 +136,7 @@ should build and install the module.
License
-------
-Copyright 2014--2018 Jan Pazdziora
+Copyright 2014--2020 Jan Pazdziora
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
=====================================
mod_authnz_pam.c
=====================================
@@ -197,11 +197,6 @@ static authn_status pam_authenticate_with_login_password(request_rec * r, const
param = login;
stage = "PAM authentication failed for user";
ret = pam_authenticate(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK);
-#if AP_MODULE_MAGIC_AT_LEAST(20100625,0)
- if (ret == PAM_SUCCESS) {
- store_password_to_cache(r, login, password);
- }
-#endif
}
if ((ret == PAM_SUCCESS) && (steps & _PAM_STEP_ACCOUNT)) {
param = login;
@@ -232,6 +227,11 @@ static authn_status pam_authenticate_with_login_password(request_rec * r, const
r->user = apr_pstrdup(r->pool, login);
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, SHOW_MODULE "PAM authentication passed for user %s", login);
pam_end(pamh, ret);
+#if AP_MODULE_MAGIC_AT_LEAST(20100625,0)
+ if (steps & _PAM_STEP_AUTH) {
+ store_password_to_cache(r, login, password);
+ }
+#endif
return AUTH_GRANTED;
}
=====================================
mod_authnz_pam.spec
=====================================
@@ -7,12 +7,12 @@
Summary: PAM authorization checker and PAM Basic Authentication provider
Name: mod_authnz_pam
-Version: 1.2.0
+Version: 1.2.1
Release: 1%{?dist}
License: ASL 2.0
Group: System Environment/Daemons
-URL: http://www.adelton.com/apache/mod_authnz_pam/
-Source0: http://www.adelton.com/apache/mod_authnz_pam/%{name}-%{version}.tar.gz
+URL: https://www.adelton.com/apache/mod_authnz_pam/
+Source0: https://www.adelton.com/apache/mod_authnz_pam/%{name}-%{version}.tar.gz
BuildRequires: gcc
BuildRequires: httpd-devel
BuildRequires: pam-devel
@@ -64,6 +64,9 @@ install -Dp -m 0644 authnz_pam.confx $RPM_BUILD_ROOT%{_httpd_confdir}/authnz_pam
%{_httpd_moddir}/*.so
%changelog
+* Thu Jul 09 2020 Jan Pazdziora <jpazdziora at redhat.com> - 1.2.1-1
+- Store password to cache only after passing all PAM checks, including account.
+
* Tue Jul 17 2018 Jan Pazdziora <jpazdziora at redhat.com> - 1.2.0-1
- Add support for mod_authn_socache.
=====================================
tests/auth.conf
=====================================
@@ -17,3 +17,21 @@ ScriptAlias /authn /var/www/cgi-bin/auth.cgi
AuthPAMService web
Require valid-user
</LocationMatch>
+
+ScriptAlias /authnp /var/www/cgi-bin/auth.cgi
+<LocationMatch ^/authnp>
+ AuthType Basic
+ AuthName "private area"
+ AuthBasicProvider PAM
+ AuthPAMService web
+ Require pam-account web
+</LocationMatch>
+
+ScriptAlias /authnp2 /var/www/cgi-bin/auth.cgi
+<LocationMatch ^/authnp2>
+ AuthType Basic
+ AuthName "private area"
+ AuthBasicProvider PAM
+ AuthPAMService web
+ Require pam-account web2
+</LocationMatch>
=====================================
tests/config.sh
=====================================
@@ -5,9 +5,12 @@ set -x
sed -i 's/^MaxClients.*/MaxClients 1/' /etc/httpd/conf/httpd.conf
mkdir -p /etc/pam-auth
+mkdir -p /etc/pam-account
+mkdir -p /etc/pam-account2
cp -p tests/auth.cgi /var/www/cgi-bin/auth.cgi
cp -p tests/pam-exec /usr/bin/pam-exec
cp tests/pam-web /etc/pam.d/web
+cp tests/pam-web /etc/pam.d/web2
chmod a+x /var/log/httpd
touch /var/log/httpd/pam_exec.log
chown apache /var/log/httpd/pam_exec.log
=====================================
tests/pam-exec
=====================================
@@ -2,18 +2,16 @@
echo "$0: $PAM_TYPE $PAM_USER"
-if [ "$PAM_TYPE" == 'auth' ] || [ "$PAM_TYPE" == 'account' ] ; then
- PAM_FILE="/etc/pam-auth/$PAM_USER"
+if [ "$PAM_TYPE" == 'auth' ] ; then
+ if [ "$PAM_SERVICE" = 'web2' ] ; then
+ PAM_FILE="/etc/pam-auth2/$PAM_USER"
+ else
+ PAM_FILE="/etc/pam-auth/$PAM_USER"
+ fi
if ! [ -f $PAM_FILE ] ; then
echo "No [$PAM_FILE] for user [$PAM_USER]" >&2
exit 2
fi
- if [ $PAM_TYPE == 'account' ] ; then
- # For account check, existing file is enough to allow access
- echo "$0: account [$PAM_USER] ok"
- exit 0
- fi
-
# For auth, we compare the passwords
read PASSWORD
read CHECK_PASSWORD < $PAM_FILE
@@ -24,5 +22,21 @@ if [ "$PAM_TYPE" == 'auth' ] || [ "$PAM_TYPE" == 'account' ] ; then
echo "Provided password [$PASSWORD] does not match expected [$CHECK_PASSWORD]" >&2
exit 3
fi
+
+if [ "$PAM_TYPE" == 'account' ] ; then
+ if [ "$PAM_SERVICE" = 'web2' ] ; then
+ PAM_FILE="/etc/pam-account2/$PAM_USER"
+ else
+ PAM_FILE="/etc/pam-account/$PAM_USER"
+ fi
+ if ! [ -f $PAM_FILE ] ; then
+ echo "No [$PAM_FILE] for user [$PAM_USER]" >&2
+ exit 2
+ fi
+ # For account check, existing file is enough to allow access
+ echo "$0: account [$PAM_USER] ok"
+ exit 0
+fi
+
echo "Unsupported PAM_TYPE [$PAM_TYPE]" >&2
exit 4
=====================================
tests/run.sh
=====================================
@@ -11,10 +11,21 @@ for i in $( seq 1 10 ) ; do
sleep 3
done
+cp /var/log/httpd/pam_exec.log /var/log/httpd/pam_exec.log.old
+
+function next_log () { set +x
+ tail -c +$(( $( stat -c%s /var/log/httpd/pam_exec.log.old ) + 1 )) /var/log/httpd/pam_exec.log | sed 's/^/:: /'
+ # echo '###' >> /var/log/httpd/pam_exec.log
+ cp /var/log/httpd/pam_exec.log /var/log/httpd/pam_exec.log.old
+ set -x
+}
+
+rm -f /etc/pam-auth/*
+
echo "Testing Require pam-account"
curl -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401
curl -u alice:Tajnost -s -D /dev/stdout -o /dev/null http://localhost/authz | tee /dev/stderr | grep 401
-touch /etc/pam-auth/alice
+touch /etc/pam-account/alice
curl -u alice:Tajnost -s http://localhost/authz | tee /dev/stderr | grep 'User alice'
echo "Testing AuthBasicProvider PAM"
@@ -23,15 +34,31 @@ curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /
touch /etc/pam-auth/bob
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
echo Secret > /etc/pam-auth/bob
+curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
+next_log > /dev/null
+touch /etc/pam-account/bob
curl -u bob:Secret -s http://localhost/authn | tee /dev/stderr | grep 'User bob'
+next_log | grep 'account .bob. ok' | wc -l | grep '^1$'
+curl -u bob:Secret -s http://localhost/authnp | tee /dev/stderr | grep 'User bob'
+next_log | grep 'account .bob. ok' | wc -l | grep '^2$'
+curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authnp2 | tee /dev/stderr | grep 401
+next_log | grep -E 'account .bob. ok|No ./etc/pam-account2/bob' | uniq | wc -l | grep '^2$'
+touch /etc/pam-account2/bob
+curl -u bob:Secret -s http://localhost/authnp | tee /dev/stderr | grep 'User bob'
+next_log | grep 'account .bob. ok' | wc -l | grep '^2$'
echo Secret2 > /etc/pam-auth/bob
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
if rpm -ql httpd | grep mod_authn_socache ; then
echo "Testing AuthBasicProvider socache PAM + AuthnCacheProvideFor PAM"
+ rm /etc/pam-account/bob
curl -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401
echo Secret > /etc/pam-auth/bob
+ curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401
+ # rerun the same request, verify that passing auth did not store password into cache
+ curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401
+ touch /etc/pam-account/bob
curl -u bob:Secret -s http://localhost/authn-cached | tee /dev/stderr | grep 'User bob'
echo Secret2 > /etc/pam-auth/bob
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401
@@ -39,3 +66,5 @@ if rpm -ql httpd | grep mod_authn_socache ; then
sleep 11
curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401
fi
+
+echo OK $0.
View it on GitLab: https://salsa.debian.org/freeipa-team/mod-authnz-pam/-/compare/708a652a62980fa7e2fba37273d91f1182215bd5...093e19024a069b747734cacb43ae72d23d495d33
--
View it on GitLab: https://salsa.debian.org/freeipa-team/mod-authnz-pam/-/compare/708a652a62980fa7e2fba37273d91f1182215bd5...093e19024a069b747734cacb43ae72d23d495d33
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20201112/d5255630/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list