I would like to have a local Linux user to be able to be authenticated (login) using the Nginx PAM module. I am using a CentOS 7 server. Specifically the below is what I am trying to do...
The README for the ngx http auth pam module says:
Note that the module runs as the web server user, so the PAM modules used must be able to authenticate the users without being root; that means that if you want to use the pam_unix.so module to authenticate users you need to let the web server user to read the /etc/shadow file if that does not scare you (on Debian like systems you can add the www-data user to the shadow group).
My first question is that in this case is 'nginx' the web server user? My second question is how can I set the permissions for the web server user to read the /etc/shadow file? Can someone please provide me with steps that have worked for them. I have followed along many tutorials that I have found online, but without success. Currently, when accessing the site that I want a local Linux user to be able to log into, I do get an authentication prompt (to enter the username and password) but when entering the credentials of a local Linux user it is without success, and just prompts me to enter it in again.
Thank you, any help is appreciated and I can give more information if needed.
Edit:
I have configured PAM in nginx by first building nginx up from source using the steps here. In my nginx.conf file I have added the following line towards the top to include the PAM module...
load_module /etc/nginx/modules/ngx_http_auth_pam_module.so;
I have also included the two lines below in my location directive in the nginx.conf...
auth_pam "Secure area";
auth_pam_service_name "nginx";
In the directory '/etc/pam.d' for the nginx service file I have the following two lines...
auth required /usr/lib/security/pam_unix.so
account required /usr/lib/security/pam_unix.so
Looking at the README for the ngx http auth pam module I see that I would have to give the web server user read permission to the /etc/shadow file. To do this I first created a new group called 'shadow'. I then assigned the web server user (which I am assuming is nginx) to the 'shadow' group. I then changed the permissions for the /etc/shadow file. The commands that I ran to do this is below...
groupadd shadow
usermod -a -G shadow nginx
chown root:shadow /etc/shadow
chmod g+r /etc/shadow
After doing this I checked the permissions for the /etc/shadow file using the command
ls -l /etc/shadow
and this is what the output was...
----r-----. 1 root shadow 1390 Aug 30 12:51 /etc/shadow
I also set a password for the nginx user. And just to reiterate, upon accessing the site that I want to have authentication, when I enter in the nginx username and password it just prompts me again to enter it.
