Re: [opensuse] apache2 authenticate system users and groups
On 15/03/17 23:53, David C. Rankin wrote:
On 03/15/2017 08:13 AM, Paul Groves wrote:
A friend just emailed me this. Apparently you are supposed to use the module names as he has set out below. I have tried the configuration and it is working as expected.
<IfModule authnz_external_module> AddExternalAuth pwauth /usr/sbin/pwauth SetExternalAuthMethod pwauth pipe </IfModule>
<IfModule authz_unixgroup_module> AddExternalGroup unixgroup /usr/sbin/unixgroup SetExternalGroupMethod unixgroup environment </IfModule>
And as before:
AuthType Basic AuthName "You shall not pass! (Unless you are a system administrator)" AuthBasicProvider external AuthExternal pwauth <RequireAll> Require valid-user Require unix-group sudo </RequireAll> Paul,
Thanks for the follow up and providing the results of your digging. For a bit stricter password controls on 2.2 or 2.4, I have been using Basic auth with a hashed password file created with dbmanage2 to provide remote access regardless of whether there is a valid unix user. It's just another simple option that seems to work well on 2.4 as well:
Alias /foo/ "/srv/http/htdocs/foo/" Alias /foo "/srv/http/htdocs/foo/"
Options +Indexes +FollowSymLinks IndexOptions FancyIndexing IconsAreLinks SuppressDescription FoldersFirst NameWidth=* AllowOverride AuthConfig Options FileInfo Limit # mod rewrite stuff AuthType Basic AuthName "Case_Restricted" AuthBasicProvider dbm AuthDBMType DB AuthDBMUserFile /usr/local/lib/apache2/caseaccess Require valid-user </Directory> You create the database with, e.g
# dbmmanage2 dbname command argument
or with actual data
# dbmmanage2 caseaccess adduser paul
'paul' can now connect from anywhere...
you will be prompted for password which is then hashed and stored in the file. You can view check entries with
# dbmanage2 dbname view paul # dbmanage2 dbmane check paul passwd:
Thanks, Might come in handy in the future. Unfortunately not possible in my case as the server is a member of active directory and the "unix groups" and "local users" are just users from AD linked by pam -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-16 13:09, Paul Groves wrote:
On 15/03/17 23:53, David C. Rankin wrote:
On 03/15/2017 08:13 AM, Paul Groves wrote:
A friend just emailed me this. Apparently you are supposed to use the module names as he has set out below. I have tried the configuration and it is working as expected.
<IfModule authnz_external_module> AddExternalAuth pwauth /usr/sbin/pwauth SetExternalAuthMethod pwauth pipe </IfModule>
<IfModule authz_unixgroup_module> AddExternalGroup unixgroup /usr/sbin/unixgroup SetExternalGroupMethod unixgroup environment </IfModule>
And as before:
AuthType Basic AuthName "You shall not pass! (Unless you are a system administrator)" AuthBasicProvider external AuthExternal pwauth <RequireAll> Require valid-user Require unix-group sudo </RequireAll> Paul,
Thanks for the follow up and providing the results of your digging. For a bit stricter password controls on 2.2 or 2.4, I have been using Basic auth with a hashed password file created with dbmanage2 to provide remote access regardless of whether there is a valid unix user. It's just another simple option that seems to work well on 2.4 as well:
Alias /foo/ "/srv/http/htdocs/foo/" Alias /foo "/srv/http/htdocs/foo/"
Options +Indexes +FollowSymLinks IndexOptions FancyIndexing IconsAreLinks SuppressDescription FoldersFirst NameWidth=* AllowOverride AuthConfig Options FileInfo Limit # mod rewrite stuff AuthType Basic AuthName "Case_Restricted" AuthBasicProvider dbm AuthDBMType DB AuthDBMUserFile /usr/local/lib/apache2/caseaccess Require valid-user </Directory> You create the database with, e.g
# dbmmanage2 dbname command argument
or with actual data
# dbmmanage2 caseaccess adduser paul
'paul' can now connect from anywhere...
you will be prompted for password which is then hashed and stored in the file. You can view check entries with
# dbmanage2 dbname view paul # dbmanage2 dbmane check paul passwd:
Thanks, Might come in handy in the future. Unfortunately not possible in my case as the server is a member of active directory and the "unix groups" and "local users" are just users from AD linked by pam
It may be useful to me. I wondered how to have simple web page with some access control. I suppose this is with https? Or is that a separate thing? -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 03/16/2017 07:24 AM, Carlos E. R. wrote:
I suppose this is with https? Or is that a separate thing?
Yes, this is with https, I enforce it just prior to the authentication, e.g.:
On 2017-03-17 04:59, David C. Rankin wrote:
On 03/16/2017 07:24 AM, Carlos E. R. wrote:
I suppose this is with https? Or is that a separate thing?
Yes, this is with https, I enforce it just prior to the authentication, e.g.:
Makes sense. I have to explore that one day. You also need a certificate. Reminds me: an email I sent direct to you bounced this morning:
Reporting-MTA: dns; smtp.movistar.es Received-from-MTA: dns; minas-tirith.valinor (82.158.73.27) Arrival-Date: Wed, 15 Mar 2017 14:35:02 +0000
Original-Recipient: rfc822;drankinatty@suddenlinkmail.com Final-Recipient: rfc822; drankinatty@suddenlinkmail.com Action: Failed Status: 4.4.7 (delivery time expired)
-- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
Carlos E. R. wrote:
On 2017-03-17 04:59, David C. Rankin wrote:
On 03/16/2017 07:24 AM, Carlos E. R. wrote:
I suppose this is with https? Or is that a separate thing?
Yes, this is with https, I enforce it just prior to the authentication, e.g.:
Makes sense. I have to explore that one day. You also need a certificate.
FYI, you really only need the certiticate if you are using basic authentication (clear text) or if you want the entire exchange encrypted. For authentication, you can use apache's digest authentication which does not transmit your credentials in clear text. Otherwise free certificates are available at http://letsencrypt.org -- Per Jessen, Zürich (9.1°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-17 07:48, Per Jessen wrote:
Carlos E. R. wrote:
On 2017-03-17 04:59, David C. Rankin wrote:
On 03/16/2017 07:24 AM, Carlos E. R. wrote:
I suppose this is with https? Or is that a separate thing?
Yes, this is with https, I enforce it just prior to the authentication, e.g.:
Makes sense. I have to explore that one day. You also need a certificate.
FYI, you really only need the certiticate if you are using basic authentication (clear text) or if you want the entire exchange encrypted. For authentication, you can use apache's digest authentication which does not transmit your credentials in clear text.
Ah! Good to know.
Otherwise free certificates are available at http://letsencrypt.org
Good to know, too, thanks. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
participants (4)
-
Carlos E. R. -
David C. Rankin -
Paul Groves -
Per Jessen