AlmaLinux 9
Sponsored Link

Apache httpd : Basic Auth + PAM2023/03/03

 
Configure [mod_authnz_pam] to use OS users on httpd Basic authentication.
[1]
Username and password are sent with plain text on Basic Authentication,
so Use secure connection with SSL/TLS setting, refer to here.
[2] Install [mod_authnz_pam].
[root@www ~]#
dnf -y install mod_authnz_pam
[root@www ~]#
vi /etc/httpd/conf.modules.d/55-authnz_pam.conf
# uncomment

LoadModule authnz_pam_module modules/mod_authnz_pam.so
[root@www ~]#
systemctl restart httpd

[3] Configure Basic authentication + PAM.
For example, set Basic Authentication to the directory [/var/www/html/auth-pam].
[root@www ~]#
vi /etc/httpd/conf.d/authnz_pam.conf
# add to the end

<Directory "/var/www/html/auth-pam">
    SSLRequireSSL
    AuthType Basic
    AuthName "PAM Authentication"
    AuthBasicProvider PAM
    AuthPAMService httpd-auth
    Require valid-user
</Directory>

[root@www ~]#
vi /etc/pam.d/httpd-auth
# create new

auth       required     pam_listfile.so item=user sense=deny file=/etc/httpd/conf.d/denyusers onerr=succeed
auth       include      system-auth
account    include      system-auth

[root@www ~]#
vi /etc/httpd/conf.d/denyusers
# create new
# write users you'd like to prohibit authentication by this setting

root
user01
user02
[root@www ~]#
chgrp apache /etc/httpd/conf.d/denyusers

[root@www ~]#
chmod 640 /etc/httpd/conf.d/denyusers

# change permission httpd can read shadow

[root@www ~]#
chgrp apache /etc/shadow

[root@www ~]#
chmod 440 /etc/shadow

[root@www ~]#
systemctl reload httpd

# create a test page

[root@www ~]#
mkdir /var/www/html/auth-pam

[root@www ~]#
vi /var/www/html/auth-pam/index.html
<html>
<body>
<div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">
Test Page for PAM Authentication
</div>
</body>
</html>
[4] If SELinux is enabled, change policy like follows.
[root@www ~]#
setsebool -P httpd_mod_auth_pam on

[5] Access to the test page from any client computer with web browser. Then authentication is required as settings, answer with any OS user.
[6] That's OK if authentication is successfully passed and test page is displayed normally.
Matched Content