10 Replies Latest reply on Jan 5, 2005 12:48 PM by janoss

    authenticate against underlying Linux OS

    mrchucho

      I've search the forums and the web, but to no avail: is there a way to authenticate a web user against the Linux OS of the server on which JBoss is running? In other words, users log into the web application using the same username and password as they would use to log into the server itself. I would assume some sort of PAM-integration might be able to do this.

      Please note that ShadowJAAS is not a viable solution and UnixLoginModule does not do any authentication -- I've already pursued these options. Thanks.

      RMC

        • 1. Re: authenticate against underlying Linux OS
          starksm64

          You will have to write your own login module to do the os specific integration as there is no existing one I am aware of.

          • 2. Re: authenticate against underlying Linux OS
            janoss

            I am looking to use the Linu OS for authentication as well.

            Mrchucho, were you successfuk at implementing this?

            • 3. Re: authenticate against underlying Linux OS
              mrchucho

              Actually, i finally was successful. I've been meaning to write up an explanation, but here it is in a nutshell:

              1) use SysAuth: http://www.scribblin.gs/software/sysauth.html
              2) implement your own subclass of UsernamePasswordLoginModule calling Sysauths's isAllowed method

              This assumes you want to use PAM and JBoss's built-in security. I will try and put together some more detailed instructions, because I know that none exist.

              RMC

              • 4. Re: authenticate against underlying Linux OS
                janoss

                mrchucho,
                I'd appreciate any write up that you come up with. I can guarantee you several others will be interested in the same solution.

                I will start reading up on SysAuth.

                • 5. Re: authenticate against underlying Linux OS
                  mrchucho

                  Sorry it took so long, but I've posted the initial draft of my JBoss Linux Authentication HOWTO.

                  I'm going to try putting together some of the links I used to figure all this out and maybe organize things better, but in the meantime check it out and let me know if it works/makes sense/helps!

                  http://www.mrchucho.net/index.php?p=36

                  RMC

                  • 6. Re: authenticate against underlying Linux OS
                    janoss

                    Excellent. Thanks for writing this up. I will go over it today. I was writing my own JNI C program to use PAM to get to the NIS passwd file. In place of downloading Sysauth. If I can't get mine to work, I may punt and get the Sysauth library.

                    You should post this on java.sun.com forums as well when finished.

                    thanks again.

                    • 7. Re: authenticate against underlying Linux OS
                      mrchucho

                       

                      "janoss" wrote:
                      I was writing my own JNI C program to use PAM to get to the NIS passwd file.

                      SysAuth uses JNI to access PAM. The authentication is then handled like any other PAM module (e.g. ssh, ftp, login, etc.). You might want to save yourself the duplicated effort.

                      • 8. Re: authenticate against underlying Linux OS
                        janoss

                        Followup on your write up. I am using

                        auth required pam_unix.so

                        in the /etc/pam.d java_auth file.

                        I decided to use Sysauth but am receiving a PAM library load error in the /var/log/messages file:

                        unable to opendl (/var/lib/security/pam_unix.so)

                        Not sure what I missed. Once I get this resolved I should be up and running.

                        • 9. Re: authenticate against underlying Linux OS
                          mrchucho

                          It may depend on your distribution... I would check other files in /etc/pam.d (i.e. grep pam_unix.so *) and see how they do it. You may need to prepend some path info. Also, see my note about stacking:

                          auth required pam_stack.so service=system-auth
                          This format may be required in some cases. If you get it working, let me know and I will update my HOWTO.

                          • 10. Re: authenticate against underlying Linux OS
                            janoss

                            Got it, my bad. I was using my old JNI-PAM implementation which did not dynamically load the /usr/lib/lib_pam.so library via the dlopen() call. This is needed since PAM does not load the needed shared objects. Once I corrected my links and used the Sysauth stuff, all worked as advertised.

                            Thanks. Keep your writeup as is. This site should have Duke dollars or Jboss dollars. I owe you.

                            Jim

                            Is there anyway to get the Jboss security POC to add your writeup to the JBoss/JAAS security FAQs.