pam_unix.so and unix_chkpw setgid - does it work for regular users?

Wolfgang Draxinger Wolfgang.Draxinger at physik.uni-muenchen.de
Thu Aug 2 22:47:47 UTC 2012 

On Thu, 2 Aug 2012 22:33:13 +0530
Arpit Tolani <arpittolani at gmail.com> wrote:

> Why are you using pam authentication for web server?

Well, because regular users on the system shall be able to access
certain private areas of the HTTP tree.

> Using PAM authentication with apache/ngnix is a very bad idea. Here
> are some reasons :
> 
> * The Web technology provides no governors on how often or how rapidly
> password (authentication failure) retries can be made. That means that
> someone can hammer away at your system's root password using the Web,
> using a dictionary or similar mass attack, just as fast as the wire
> and your server can handle the requests.

In this case the pam service configuration has a rule added that only
users within a certain group are able to use this at all; root is not
in that group of course. So this limits potential dictionary attacks to
said users. Add to this a fail2ban ruleset, that will disallow access
to the server from the originating IP after a number of failed login
attempts.

> * Web authentication passwords (at least for Basic authentication)
> generally fly across the wire, and through intermediate proxy systems,
> in what amounts to plain text. "O'er the net we go/Caching all the
> way;/O what fun it is to surf/Giving my password away!"

That server is TLS only. No plaintext goes over the wire, and caching
is mutually exclusive with TLS (a proxy is a MitM, from a cryptography
point of view).

> A possible solution for you will be to Add all your users in LDAP and
> use LDAP auth instead. Benefits of using LDAP auth are
> 
> - All apache servers can access LDAP server & create a centralized
> authentication setup.

And the benefit of this is? OpenLDAP is a heavyweight beast, and the
password would still go over the wire for basic auth.

> - You can configure LDAP on secure port and all data transfer will be
> done on SSL

Well, would not be very helpful if the server frontend was
still plaintext HTTP.


Wolfgang

More information about the Pam-list mailing list