apache2/pam/pwauth to remove www-data from shadow group

[kw...@teradactyl.com]

'm trying to get UNIX logins working using pam.  I was able to get the user login to work if I add www-data to the shadow group.  To get this working, I had to add www-data to the shadow group.  This is considered a bad practice, and pwauth is possibly the solution.  I was able to confgure pwauth and test it with htaccess to get it working.  In my apache config I added:

  AddExternalAuth pwauth /usr/sbin/pwauth
  SetExternalAuthMethod pwauth pipe

  <Directory /var/www/html/web2py>
    <Files wsgihandler.py>
      Order deny,allow
      Allow from all
    </Files>
    AuthType Basic
    AuthName "Restricted"
    AuthBasicProvider external
    AuthExternal pwauth
    require valid-user
  </Directory>

Next, in gluon/contrib/login_methods, I changed the pam service in the authenticate() call:

    return authenticate(username, password, service='pwauth')

From /var/log/auth.log I get:

Feb 16 14:10:27 tibs2 unix_chkpwd[11030]: check pass; user unknown
Feb 16 14:10:27 tibs2 unix_chkpwd[11030]: password check failed for user (kwebb)
Feb 16 14:10:27 tibs2 apache2: pam_unix(pwauth:auth): authentication failure; logname= uid=33 euid=33 tty= ruser= rhost= user=kwebb

It works if I go back and add www-data to the shadow group in /etc/passwd.  I've also found some references to this in an Ubuntu 14.04 install

for web2py which I am trying to avoid:

usermod -a -G shadow www-data

Here is my pam config file for pwauth:

#
# The PAM configuration file for the `pwauth' service
#

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so

# Standard Un*x authentication.
@include common-auth

# Standard Un*x account
@include common-account

[kw...@teradactyl.com]

Digging into this more, I have learned that the pam calls in the pam.py module use the username than is trying to authenticate and pwauth requires the www-data userid.  There is some other magic with apache2/mod-authnz-external that makes this work with htaccess.  I tried adding a pam_set_item(PAM_RUSER, 'www-data') to pam.py, which works:

Feb 16 16:28:21 tibs2 apache2: pam_unix(pwauth:auth): authentication failure; logname= uid=33 euid=33 tty= ruser=www-data rhost= user=kwebb

but the authentication is still failing, so I clearly do not understand how pam works yet, but I do desire that web2py use pam w/o needing to add www-data to the shadow group in /etc/group.

[kw...@teradactyl.com]

I finally resolved this.  Turns out PAM is not actually calling pwauth.  A simple bit of code:

        proc = subprocess.Popen('/usr/sbin/pwauth', stdin=subprocess.PIPE)
        proc.communicate('%s\n%s\n'%(username, password))
        return proc.returncode == 0

Does the trick.  I will formalize this and remove it from the pam module

On Tuesday, February 16, 2016 at 2:42:54 PM UTC-7, kw...@teradactyl.com wrote: