auth_request vs auth_pam_service_name

Sergio Talens-Oliag sto at iti.upv.es
Tue Jan 13 08:40:21 UTC 2015


El Mon, Jan 12, 2015 at 04:56:01PM -0500, nginxuser100 va escriure:
> Hi, I am a newbie at nginx and looking at its authentication capabilities.
> It appears that when using auth_request, every client request would still
> require an invokation to the auth_request fastcgi or proxy_pass server.
> Looking at auth_pam, I am not clear on how it works:
> 
> 1. How does nginx pass the user credentials to the PAM module?

It gets them from the HTTP Basic Auth header and calls the PAM functions to
pass them to the underlying modules in a non interactive mode.

> 2. Would nginx remember that a user has been authenticated? Perhaps via a
> cookie that'd be returned by PAM? I looked at the nginx pam source code and
> didn't see it returning any cookie to nginx ... perhaps PAM does it by
> storing it on some context that's returned to NGINX?

When using HTTP Basic Auth the server does not remember users and passwords,
usually the client does and the user and password are checked on each
request... depending on the PAM modules you use they can do some caching,
though.

> 3. Is the auth_pam directive mandatory? When I used it with 
> locate /
> {
>   auth_pam "Login Banner"; 
>   auth_required_service_name "nginx"; 
> } 

if you want to use auth_pam you have to use the directive

> where the PAM nginx file had 'auth required pam_unix.so"
> a user/password login page popped up. But even after I entered a valid
> user/pwd and hit <cr>, the same login page would pop up again, prompting for
> a user/pwd. I got the same behavior even after removing the
> auth_required_service_name statement. 
> Can someone explain the behavior I experienced?

Yes, your problem is that the web server can't validate the users using
pam_unix.so; quoting the ngx_http_auth_pam_module README:

  Note that the module runs as the web server user, so the PAM modules used
  must be able to authenticate the users without being root; that means that
  if you want to use the pam_unix.so module to autenticate users you need to
  let the web server user to read the /etc/shadow file if that does not scare
  you (on Debian like systems you can add the www-data user to the shadow
  group).

I don't recomend you to let the webserver to read your shadow file, but that
is your call (I usually use PAM to validate against LDAP or user databases
that don't need root access)

> 4. Is there a way for us to provide our own Login html page to the user? If
> yes, how do we do it and how would we pass the credentials to NGINX?

It depends on your application and the method you plan to use, nothing NGINX
specific here, HTTP Basic Auth is really basic, you should use other
authentication mechanisms if you want something more powerful (on NGINX you
can look into the Pubcookie module or implementing something using the Lua
Module)

> 5. NGINX chooses the authentication method (local vs ldap vs rsa etc) based
> on the server/uri. For example, /www.example.org users would be
> authenticated via LDAP: location /example { auth_pam_service_name "authFile"
> } and the authFile would contains "auth required ldap.so"
> 
> Is there a way to configure nginx to base the authentication method on some
> user configuration outside of nginx?

If you want to handle HTTP basic auth with NGINX you have to configure it on
the level you want (i. e. you can use a global auth method for a server and
disable or change it on specific locations) or you can authenticate at the
application level (not using nignx modules).

That beeing said, you can implement a flexible authentication method with the
PAM module using the pam_exec module and passing variables to it:

  http://web.iti.upv.es/~sto/nginx/ngx_http_auth_pam_module-1.3/README.html#pam_environment

But that probably is not really a good idea for production environments (PAM
is blocking and pam_exec.so can be dangerous and resource intensive, as it
forks a process for each authentication request); if you want to do somenthing
equivalent I'll rather do it using the auth_request module:

  http://nginx.org/en/docs/http/ngx_http_auth_request_module.html

and an authentication web app that behaves as you want with the parameters you
pass to it (i.e. it uses a different AUTH schema depending on the URL you are
trying to validate and implements some kind of catching).

> Thank you for any clarifications!

You're welcome, hope it helps.

Greetings,

  Sergio.

-- 
Sergio Talens-Oliag <sto at iti.es>               <http://www.iti.es/>
Key fingerprint = FF77 A16B 9D09 FC7B 6656 CFAD 261D E19A 578A 36F2
El Mon, Jan 12, 2015 at 04:56:01PM -0500, nginxuser100 va escriure:
> Hi, I am a newbie at nginx and looking at its authentication capabilities.
> It appears that when using auth_request, every client request would still
> require an invokation to the auth_request fastcgi or proxy_pass server.
> Looking at auth_pam, I am not clear on how it works:
> 
> 1. How does nginx pass the user credentials to the PAM module?
> 
> 2. Would nginx remember that a user has been authenticated? Perhaps via a
> cookie that'd be returned by PAM? I looked at the nginx pam source code and
> didn't see it returning any cookie to nginx ... perhaps PAM does it by
> storing it on some context that's returned to NGINX?
> 
> 3. Is the auth_pam directive mandatory? When I used it with 
> locate /
> {
>   auth_pam "Login Banner"; 
>   auth_required_service_name "nginx"; 
> } 
> where the PAM nginx file had 'auth required pam_unix.so"
> a user/password login page popped up. But even after I entered a valid
> user/pwd and hit <cr>, the same login page would pop up again, prompting for
> a user/pwd. I got the same behavior even after removing the
> auth_required_service_name statement. 
> Can someone explain the behavior I experienced?
> 
> 4. Is there a way for us to provide our own Login html page to the user? If
> yes, how do we do it and how would we pass the credentials to NGINX?
> 
> 5. NGINX chooses the authentication method (local vs ldap vs rsa etc) based
> on the server/uri. For example, /www.example.org users would be
> authenticated via LDAP: location /example { auth_pam_service_name "authFile"
> } and the authFile would contains "auth required ldap.so"
> 
> Is there a way to configure nginx to base the authentication method on some
> user configuration outside of nginx?
> 
> Thank you for any clarifications!
> 
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,256075,256075#msg-256075
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> 

-- 
Sergio Talens-Oliag <sto at iti.es>               <http://www.iti.es/>
Key fingerprint = FF77 A16B 9D09 FC7B 6656 CFAD 261D E19A 578A 36F2



More information about the nginx mailing list