Apache httpd : Basic Auth + PAM2022/03/16 |
Configure [mod_authnz_pam] to use OS users on httpd Basic authentication. | |
| [1] | Username and password are sent with plain text on Basic Authentication, so Use secure connection with SSL/TLS setting, refer to here. |
| [2] | Install [mod_authnz_pam]. |
[root@www ~]# dnf -y install mod_authnz_pam [root@www ~]# vi /etc/httpd/conf.modules.d/55-authnz_pam.conf # uncomment LoadModule authnz_pam_module modules/mod_authnz_pam.so systemctl restart httpd |
| [3] | Configure Basic authentication + PAM. For example, set Basic Authentication to the directory [/var/www/html/auth-pam]. |
[root@www ~]# vi /etc/httpd/conf.d/authnz_pam.conf # add to the end <Directory "/var/www/html/auth-pam">
SSLRequireSSL
AuthType Basic
AuthName "PAM Authentication"
AuthBasicProvider PAM
AuthPAMService httpd-auth
Require valid-user
</Directory>
[root@www ~]# vi /etc/pam.d/httpd-auth # create new auth required pam_listfile.so item=user sense=deny file=/etc/httpd/conf.d/denyusers onerr=succeed auth include system-auth account include system-auth [root@www ~]# vi /etc/httpd/conf.d/denyusers # create new # write users you'd like to prohibit authentication by this setting root user01 user02 [root@www ~]# chgrp apache /etc/httpd/conf.d/denyusers [root@www ~]# chmod 640 /etc/httpd/conf.d/denyusers # change permission httpd can read shadow [root@www ~]# chgrp apache /etc/shadow [root@www ~]# chmod 440 /etc/shadow [root@www ~]# systemctl reload httpd # create a test page [root@www ~]# mkdir /var/www/html/auth-pam [root@www ~]# vi /var/www/html/auth-pam/index.html <html> <body> <div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;"> Test Page for PAM Authentication </div> </body> </html> |
| [4] | If SELinux is enabled, change policy like follows. |
| [root@www ~]# setsebool -P httpd_mod_auth_pam on |
| [5] | Access to the test page from any client computer with web browser. Then authentication is required as settings, answer with any OS user. |
 |
| [6] | That's OK if authentication is successfully passed and test page is displayed normally. |
 |
No comments:
Post a Comment