Auth_request vs auth_pam_service_name

Hi, I am a newbie at nginx and looking at its authentication
capabilities.
It appears that when using auth_request, every client request would
still
require an invokation to the auth_request fastcgi or proxy_pass server.
Looking at auth_pam, I am not clear on how it works:

  1. How does nginx pass the user credentials to the PAM module?

  2. Would nginx remember that a user has been authenticated? Perhaps via
    a
    cookie that’d be returned by PAM? I looked at the nginx pam source code
    and
    didn’t see it returning any cookie to nginx … perhaps PAM does it by
    storing it on some context that’s returned to NGINX?

  3. Is the auth_pam directive mandatory? When I used it with
    locate /
    {
    auth_pam “Login Banner”;
    auth_required_service_name “nginx”;
    }
    where the PAM nginx file had 'auth required pam_unix.so"
    a user/password login page popped up. But even after I entered a valid
    user/pwd and hit , the same login page would pop up again, prompting
    for
    a user/pwd. I got the same behavior even after removing the
    auth_required_service_name statement.
    Can someone explain the behavior I experienced?

  4. Is there a way for us to provide our own Login html page to the user?
    If
    yes, how do we do it and how would we pass the credentials to NGINX?

  5. NGINX chooses the authentication method (local vs ldap vs rsa etc)
    based
    on the server/uri. For example, /www.example.org users would be
    authenticated via LDAP: location /example { auth_pam_service_name
    “authFile”
    } and the authFile would contains “auth required ldap.so”

Is there a way to configure nginx to base the authentication method on
some
user configuration outside of nginx?

Thank you for any clarifications!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,256075,256075#msg-256075

El Mon, Jan 12, 2015 at 04:56:01PM -0500, nginxuser100 va escriure:

Hi, I am a newbie at nginx and looking at its authentication capabilities.
It appears that when using auth_request, every client request would still
require an invokation to the auth_request fastcgi or proxy_pass server.
Looking at auth_pam, I am not clear on how it works:

  1. How does nginx pass the user credentials to the PAM module?

It gets them from the HTTP Basic Auth header and calls the PAM functions
to
pass them to the underlying modules in a non interactive mode.

  1. Would nginx remember that a user has been authenticated? Perhaps via a
    cookie that’d be returned by PAM? I looked at the nginx pam source code and
    didn’t see it returning any cookie to nginx … perhaps PAM does it by
    storing it on some context that’s returned to NGINX?

When using HTTP Basic Auth the server does not remember users and
passwords,
usually the client does and the user and password are checked on each
request… depending on the PAM modules you use they can do some
caching,
though.

  1. Is the auth_pam directive mandatory? When I used it with
    locate /
    {
    auth_pam “Login Banner”;
    auth_required_service_name “nginx”;
    }

if you want to use auth_pam you have to use the directive

where the PAM nginx file had 'auth required pam_unix.so"
a user/password login page popped up. But even after I entered a valid
user/pwd and hit , the same login page would pop up again, prompting for
a user/pwd. I got the same behavior even after removing the
auth_required_service_name statement.
Can someone explain the behavior I experienced?

Yes, your problem is that the web server can’t validate the users using
pam_unix.so; quoting the ngx_http_auth_pam_module README:

Note that the module runs as the web server user, so the PAM modules
used
must be able to authenticate the users without being root; that means
that
if you want to use the pam_unix.so module to autenticate users you
need to
let the web server user to read the /etc/shadow file if that does not
scare
you (on Debian like systems you can add the www-data user to the
shadow
group).

I don’t recomend you to let the webserver to read your shadow file, but
that
is your call (I usually use PAM to validate against LDAP or user
databases
that don’t need root access)

  1. Is there a way for us to provide our own Login html page to the user? If
    yes, how do we do it and how would we pass the credentials to NGINX?

It depends on your application and the method you plan to use, nothing
NGINX
specific here, HTTP Basic Auth is really basic, you should use other
authentication mechanisms if you want something more powerful (on NGINX
you
can look into the Pubcookie module or implementing something using the
Lua
Module)

  1. NGINX chooses the authentication method (local vs ldap vs rsa etc) based
    on the server/uri. For example, /www.example.org users would be
    authenticated via LDAP: location /example { auth_pam_service_name “authFile”
    } and the authFile would contains “auth required ldap.so”

Is there a way to configure nginx to base the authentication method on some
user configuration outside of nginx?

If you want to handle HTTP basic auth with NGINX you have to configure
it on
the level you want (i. e. you can use a global auth method for a server
and
disable or change it on specific locations) or you can authenticate at
the
application level (not using nignx modules).

That beeing said, you can implement a flexible authentication method
with the
PAM module using the pam_exec module and passing variables to it:

http://web.iti.upv.es/~sto/nginx/ngx_http_auth_pam_module-1.3/README.html#pam_environment

But that probably is not really a good idea for production environments
(PAM
is blocking and pam_exec.so can be dangerous and resource intensive, as
it
forks a process for each authentication request); if you want to do
somenthing
equivalent I’ll rather do it using the auth_request module:

http://nginx.org/en/docs/http/ngx_http_auth_request_module.html

and an authentication web app that behaves as you want with the
parameters you
pass to it (i.e. it uses a different AUTH schema depending on the URL
you are
trying to validate and implements some kind of catching).

Thank you for any clarifications!

You’re welcome, hope it helps.

Greetings,

Sergio.


Sergio Talens-Oliag [email protected] http://www.iti.es/
Key fingerprint = FF77 A16B 9D09 FC7B 6656 CFAD 261D E19A 578A 36F2
El Mon, Jan 12, 2015 at 04:56:01PM -0500, nginxuser100 va escriure:

storing it on some context that’s returned to NGINX?
a user/pwd. I got the same behavior even after removing the

http://mailman.nginx.org/mailman/listinfo/nginx


Sergio Talens-Oliag [email protected] http://www.iti.es/
Key fingerprint = FF77 A16B 9D09 FC7B 6656 CFAD 261D E19A 578A 36F2

Thanks Sergio, that was helpful!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,256075,256109#msg-256109