Nginx with PAM authentication through pam_script

[kuznetcoff777]

System information

Operating system (e.g. Ubuntu 22.04): oracle linux 8.5
Do you use selinux? (check with e.g. sestatus): disabled

Steps to reproduce

1. Assembled nginx docker container with pam auth module, added apk google-authenticator to container
2. /etc/pam.d/nginx contains this:
   auth required /lib/security/pam_google_authenticator.so
3. locally created /root/.google_authenticator - chekcked it via sshd pam, works
4. nginx.conf has this in config
   load_module /etc/nginx/modules/ngx_http_auth_pam_module.so;

and this in location /

                auth_pam "Secure area";
                auth_pam_service_name "nginx";

5 launching docker
docker run --name nginx-pam -e TZ="Europe/Moscow" --network host -v /etc/ssl/nginx:/etc/ssl/nginx:ro -v /etc/pam.d/nginx:/etc/pam.d/nginx:ro -v /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro -v /root/.google_authenticator:/root/.google_authenticator -d nginx-pam-assemble

When enter http address in browser i see http auth "Secure area", but when enter root and OTP - in logs i see this:

2022/12/30 12:47:26 [error] 23#23: *3 PAM: user 'root' - not authenticated: Authentication failure, client: 1.1.1.1, server: _, request: "GET / HTTP/1.1", host: "2.2.2.2"

If i do something wrong and it cannot work as i expect?

[ThomasHabets]

This seems more like an nginx question than a question for this project. You're not showing any logs from PAM. E.g. /var/log/auth.log is usually the right place.

I assume that the section of the README on this project describing forward_pass is applicable, so you probably need those options.

And if the logs still don't help you, then add the debug option to get more logs.

[kuznetcoff777]

/var/log/auth.log is empty, seems to be docker issue, so debug mode wont help. Need to do experiment without docker probably

forward_pass does not help

[kuznetcoff777]

Made nginx withoud docker, the samep roblem, but now i see logs in /var/log/secure

Dec 30 16:39:21 test-oracle-linux-8 nginx(pam_google_authenticator)[1765503]: debug: start of google_authenticator for "root"
Dec 30 16:39:21 test-oracle-linux-8 nginx(pam_google_authenticator)[1765503]: Failed to change user id to "root"
Dec 30 16:39:21 test-oracle-linux-8 nginx(pam_google_authenticator)[1765503]: debug: end of google_authenticator for "root". Result: Authentication failure

Why is that? Why it try to change user id to "root"

[ThomasHabets]

Because you're asking it to auth as root, and read files owned as root.

You could try using the secret= and user= options.

[kuznetcoff777]

Ok, made simplier test. Added user test.

cp /root/.google_authenticator /home/test/
chown test:test /home/test/.google_authenticator

ls -alt /home/test/.google_authenticator
-r--r--r--. 1 test test 94 Dec 30 16:49 /home/test/.google_authenticator

in pam.d

auth required pam_google_authenticator.so debug secret=/home/${USER}/.google_authenticator

And still the same after nginx restart:

Dec 30 16:53:21 test-oracle-linux-8 nginx(pam_google_authenticator)[1765585]: debug: start of google_authenticator for "test"
Dec 30 16:53:21 test-oracle-linux-8 nginx(pam_google_authenticator)[1765585]: Failed to change user id to "test"
Dec 30 16:53:21 test-oracle-linux-8 nginx(pam_google_authenticator)[1765585]: debug: end of google_authenticator for "test". Result: Authentication failure

[kuznetcoff777]

Also attempted to place
user=root

Still the same, i doing something wrong...

[ThomasHabets]

nginx is not running as user root, which means it can't change to user test either. Try user=www or whatever nginx runs as.

[kuznetcoff777]

Master process from root:

[root@test-oracle-linux-8 transcoder]# ps aux | grep nginx
root     1765600  0.0  0.0  49176   912 ?        Ss   16:57   0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx    1765601  0.0  0.0  83884  6352 ?        S    16:57   0:00 nginx: worker process
nginx    1765602  0.0  0.0  83884  5360 ?        S    16:57   0:00 nginx: worker process
root     1765607  0.0  0.0  12132  1100 pts/0    S+   16:58   0:00 grep --color=auto nginx

[ThomasHabets]

So user=nginx.

[kuznetcoff777]

I got it, /home/test have no permissions for nginx user.
I made separate folder
user=nginx secret=/var/google/${USER}/.google_authenticator
now new error, but it is better then was before )

Dec 30 17:01:24 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: debug: start of google_authenticator for "test"
Dec 30 17:01:24 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: debug: Secret file permissions are 0444. Allowed permissions are 0600
Dec 30 17:01:24 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: Secret file "/var/google/test/.google_authenticator" permissions (0444) are more permissive than 0600
Dec 30 17:01:24 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: No secret configured for user test, asking for code anyway.
Dec 30 17:01:24 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: Invalid verification code for test
Dec 30 17:01:24 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: debug: end of google_authenticator for "test". Result: Authentication failure

[ThomasHabets]

These lines say pretty clearly what the error is:

Dec 30 17:01:24 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: debug: Secret file permissions are 0444. Allowed permissions are 0600
Dec 30 17:01:24 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: Secret file "/var/google/test/.google_authenticator" permissions (0444) are more permissive than 0600

chmod 600 /var/google/test/.google_authenticator

[kuznetcoff777]

Yep, made it.
Now i catch this

Dec 30 17:06:38 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: debug: start of google_authenticator for "test"
Dec 30 17:06:38 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: debug: Secret file permissions are 0600. Allowed permissions are 0600
Dec 30 17:06:38 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: debug: "/var/google/test/.google_authenticator" read
Dec 30 17:06:38 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: debug: shared secret in "/var/google/test/.google_authenticator" processed
Dec 30 17:06:38 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: debug: google_authenticator for host "1.1.1.1"
Dec 30 17:06:38 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: debug: no scratch code used from "/var/google/test/.google_authenticator"
Dec 30 17:06:38 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: Accepted google_authenticator for test
Dec 30 17:06:38 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: Failed to create tempfile "/var/google/test/.google_authenticator~FMagD9": Permission denied
Dec 30 17:06:38 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: Failed to update secret file "/var/google/test/.google_authenticator": Permission denied
Dec 30 17:06:38 test-oracle-linux-8 nginx(pam_google_authenticator)[1765647]: debug: end of google_authenticator for "test". Result: Authentication failure