Using ruby-pam in a CGI

I’m looking at writing some simple control panel software for my
webhosting business, and part of what I need to do is authenticate
users. I’d like to simply use their system passwords (so that way
they only have to remember one). For that reason, I’d like to use
ruby-pam to authenticate them.

Since this is going to be running in a CGI environment, I can’t prompt
the user for information the way PAM would have me do. When I tried
to do this with Authen::PAM in Perl, I could never get it to work.

Do any of you have suggestions?

Thanks,
Samuel

You won’t be able to authenticate users using PAM unless you are running as
root, because you need root privileges to read /etc/shadow or its
equivalent.

Perhaps the easiest kludgy way to get it working is to run a POP3 server,
and your script can then attempt a POP3 login to validate a
username/password pair.

Other options would be to run a radius server (one which uses PAM and runs
as root), or a password-checking daemon such as Cyrus’ pwcheck or Courier’s
authdaemond (but you’ll have to write client-side code to talk the
appropriate protocol)

Or you could write a little setuid-root C program for checking passwords,
taking care not to introduce any security holes.

I just came across another option which is a patched version of PAM which
allows password checking from non-root accounts:
http://www.e-admin.de/pam_exim/ (but I don’t know how it actually works)

Regards,

Bran.

···

On Sat, Jul 05, 2003 at 03:18:56AM +0900, Samuel Tesla wrote:

I’m looking at writing some simple control panel software for my
webhosting business, and part of what I need to do is authenticate
users. I’d like to simply use their system passwords (so that way
they only have to remember one). For that reason, I’d like to use
ruby-pam to authenticate them.

Since this is going to be running in a CGI environment, I can’t prompt
the user for information the way PAM would have me do. When I tried
to do this with Authen::PAM in Perl, I could never get it to work.

Do any of you have suggestions?

Brian Candler B.Candler@pobox.com writes:

Or you could write a little setuid-root C program for checking passwords,
taking care not to introduce any security holes.

I was actually planning on using sudo in order to run things as the
user. But now that you mention it, I think I may know what problem
I’d been having before. I was trying to change my password as a
normal user instead of root. Thanks for shedding light on that :slight_smile:

I just came across another option which is a patched version of PAM which
allows password checking from non-root accounts:
http://www.e-admin.de/pam_exim/ (but I don’t know how it actually works)

I’ll have to check that out.

Thanks,
Samuel

I suppose some clarification is in order.

All I’m really trying to figure out is how to write the conversation
function. Since it’s going to be a CGI, I can’t write an interactive
conversation function (which is kind of what PAM assumes).

See, before, I was running my perl script as me instead of root. It
would let me authenticate fine but it wouldn’t let me change my
password. I’m going to write a ruby script and see if it works when I
run it as root.

In any event, I’ll post my results.

Thanks,
Samuel

Why not?

Just use the broken design of PAM in the way everyone else does. If you look
at most PAM clients they use the following logic:

  • in response to PAM_PROMPT_ECHO_ON send the username
  • in response to PAM_PROMPT_ECHO_OFF send the password

Stupid and completely defeats the design objectives of PAM, but (say) a POP3
server can’t use it in any other way in any case.

If PAM supported SASL then it might have some use. Otherwise there are few
things which properly support an ‘interactive conversation function’ in the
way that PAM requires - telnet is OK of course, ssh
KbdInteractiveAuthentication and radius Access-Challenge are the only ones I
can think of.

Regards,

Brian.

···

On Sat, Jul 05, 2003 at 05:40:53AM +0900, Samuel Tesla wrote:

All I’m really trying to figure out is how to write the conversation
function. Since it’s going to be a CGI, I can’t write an interactive
conversation function (which is kind of what PAM assumes).

I suppose some clarification is in order.

All I’m really trying to figure out is how to write the conversation
function. Since it’s going to be a CGI, I can’t write an interactive
conversation function (which is kind of what PAM assumes).

You can if you use a persistent authenticator process, that handles
several stages of the request, or do what everyone else does for
non-interactive apps: assume that the first prompt is username, the
second is password, and if there’s more, carp and die.

See, before, I was running my perl script as me instead of root. It
would let me authenticate fine but it wouldn’t let me change my
password. I’m going to write a ruby script and see if it works when I
run it as root.

Good luck!

···

On Fri, 2003-07-04 at 14:40, Samuel Tesla wrote:

In any event, I’ll post my results.

Thanks,
Samuel

Aredridel aredridel@nbtsc.org writes:

···

On Fri, 2003-07-04 at 14:40, Samuel Tesla wrote:
You can if you use a persistent authenticator process, that handles
several stages of the request, or do what everyone else does for
non-interactive apps: assume that the first prompt is username, the
second is password, and if there’s more, carp and die.

Yeah, that’s what I did in my perl script. Could never figure it
out. But I think it’s the whole euid issue. We’ll see. I had to
patch ruby-pam to work with 1.8.0 first.

Samuel Tesla samuel@alieniloquent.com writes:

Yeah, that’s what I did in my perl script. Could never figure it
out. But I think it’s the whole euid issue. We’ll see. I had to
patch ruby-pam to work with 1.8.0 first.

Well, I wrote a quick ruby script to change people’s passwords. Sure
enough, if I run it as me, I can authenticate but I can’t chauthtok.
If I run it as root, it all works fine.

Thanks for the help!