PHP5 and pam auth

Latest response

Since upgrading to Redhat 5, I'm having problems setting up pam authentication with PHP5.   I realize that it's a security issue but server is only accessbile internally (not from internet) so we are OK with the security issues.   If anyone can help out we would really appreciate it.

 

Thanks

Responses

Hi,

 

It is indeed a security issue. A lot of this builds around the implementation of having a web interface tied to the system's PAM stack. There are other options that could be taken.

 

Have you thought about using 'php-ldap' (the LDAP calls are held within the PHP code)? This would allow your PHP applications to be able to utilize LDAP support, thereby keeping it out of the system's PAM stack.

 

~ricky

Why are you using pam authentication for web server ?Using PAM authentication with apache/ngnix is a very bad idea. Here are some reasons :

* The Web technology provides no governors on how often or how rapidly password (authentication failure) retries can be made. That means that someone can hammer away at your system's root password using the Web, using a dictionary or similar mass attack, just as fast as the wire and your server can handle the requests. Most operating systems these days include attack detection (such as n failed passwords for the same account within m seconds) and evasion (breaking the connection, disabling the account under attack, disabling all logins from that source, et cetera), but the Web does not.

* An account under attack isn't notified (unless the server is heavily modified); there's no "You have 19483 login failures" message when the legitimate owner logs in.

* Without an exhaustive and error-prone examination of the server logs, you can't tell whether an account has been compromised. Detecting that an attack has occurred, or is in progress, is fairly obvious, though - if you look at the logs.

* Web authentication passwords (at least for Basic authentication) generally fly across the wire, and through intermediate proxy systems, in what amounts to plain text. "O'er the net we go/Caching all the way;/O what fun it is to surf/Giving my password away!"

* Since HTTP is stateless, information about the authentication is transmitted each and every time a request is made to the server. Essentially, the client caches it after the first successful access, and transmits it without asking for all subsequent requests to the same server.

* It's relatively trivial for someone on your system to put up a page that will steal the cached password from a client's cache without them knowing. Can you say "password grabber"?

Refer http://httpd.apache.org/docs/1.3/misc/FAQ.html#passwdauth

A possible solution for you will be to Add all your users in LDAP and use LDAP auth instead. Benefits of using LDAP auth are

- All apache servers can access LDAP server & create a centralized authentication setup.
- You can configure LDAP on secure port and all data transfer will be done on SSL