kerberos and mod_auth_pam and apache

Lars nospam at nospam.net
Tue Oct 1 13:50:38 EDT 2002


I'd like to kerberize logins to a https server.
How can I use mod_auth_pam to authenticate against kerberos without
requiring any client side changes?

Perhaps, this is the wrong way to do provide web authentication and if I
am barking up the wrong tree, point out the right one.

For a control case, I've gotten mod_auth_pam to work with the regular
unix login, but only after (briefly) changing the shadow password file
permissions to 644. The work-around I'd prefer to avoid is running httpd
as root.

But changing the pam configuration for httpd, I've run up against some
problems.  When I try to authenticate, I get the error:

	The server requested a login authentication method
	that is not supported.

The apache error log shows

	[error] (13)Permission denied: access to /foo/index.en.html
	failed for 10.0.0.3, reason: Authentication service cannot
	retrieve authentication info.

My pam configuration for httpd is:

	auth       required     /lib/security/pam_nologin.so
	auth       required     /lib/security/pam_krb5.so use_first_pass

	account    required     /lib/security/pam_unix.so

Any help gratefully accepted
-Lars




More information about the Kerberos mailing list