在使用mod_python运行的脚本中使用pam_python
[英]Using pam_python in a script running with mod_python
问题描述
I would like to develop a web interface to allow users of a Linux system to do certain tasks related to their account. 
我想开发一个Web界面,以允许Linux系统的用户执行与其帐户相关的某些任务。 I decided to write the backend of the site using Python and mod_python on Apache. 我决定在Apache上使用Python和mod_python编写网站的后端。 To authenticate the users, I thought I could use python_pam to query the PAM service. 为了验证用户身份,我认为我可以使用python_pam查询PAM服务。 I adapted the example bundled with the module and got this: 我修改了与模块捆绑在一起的示例 ,并得到以下信息:
# out is the output stream used to print debug
def auth(username, password, out):
def pam_conv(aut, query_list, user_data):
out.write("Query list: " + str(query_list) + "\n")
# List to store the responses to the different queries
resp = []
for item in query_list:
query, qtype = item
# If PAM asks for an input, give the password
if qtype == PAM.PAM_PROMPT_ECHO_ON or qtype == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((str(password), 0))
elif qtype == PAM.PAM_PROMPT_ERROR_MSG or qtype == PAM.PAM_PROMPT_TEXT_INFO:
resp.append(('', 0))
out.write("Our response: " + str(resp) + "\n")
return resp
# If username of password is undefined, fail
if username is None or password is None:
return False
service = 'login'
pam_ = PAM.pam()
pam_.start(service)
# Set the username
pam_.set_item(PAM.PAM_USER, str(username))
# Set the conversation callback
pam_.set_item(PAM.PAM_CONV, pam_conv)
try:
pam_.authenticate()
pam_.acct_mgmt()
except PAM.error, resp:
out.write("Error: " + str(resp) + "\n")
return False
except:
return False
# If we get here, the authentication worked
return True
My problem is that this function does not behave the same whether I use it in a simple script or through mod_python. 我的问题是,无论我在简单脚本中还是通过mod_python使用此函数,其功能都不同。 To illustrate this, I wrote these simple cases: 为了说明这一点,我写了这些简单的案例:
my_username = "markys"
my_good_password = "lalala"
my_bad_password = "lololo"
def handler(req):
req.content_type = "text/plain"
req.write("1- " + str(auth(my_username,my_good_password,req) + "\n"))
req.write("2- " + str(auth(my_username,my_bad_password,req) + "\n"))
return apache.OK
if __name__ == "__main__":
print "1- " + str(auth(my_username,my_good_password,sys.__stdout__))
print "2- " + str(auth(my_username,my_bad_password,sys.__stdout__))
The result from the script is : 该脚本的结果是:
Query list: [('Password: ', 1)]
Our response: [('lalala', 0)]
1- True
Query list: [('Password: ', 1)]
Our response: [('lololo', 0)]
Error: ('Authentication failure', 7)
2- False
but the result from mod_python is : 但是mod_python的结果是:
Query list: [('Password: ', 1)]
Our response: [('lalala', 0)]
Error: ('Authentication failure', 7)
1- False
Query list: [('Password: ', 1)]
Our response: [('lololo', 0)]
Error: ('Authentication failure', 7)
2- False
I don't understand why the auth function does not return the same value given the same inputs. 我不明白为什么在给定相同输入的情况下auth函数不返回相同值。 Any idea where I got this wrong ? 知道我错了吗? Here is the original script, if that could help you. 如果可以的话, 这是原始脚本。
Thanks a lot ! 非常感谢 !
EDIT: All right I found the error. 编辑:好的,我发现了错误。 I was running the script as root. 我以root身份运行脚本。 mod_python was running the script as the webserver's user. mod_python以Web服务器的用户身份运行脚本。 Only root has the right to read shadow. 只有root有权读取阴影。 I am not sure how I will circumvent this, but at least now I know what is the problem ! 我不确定如何避免这种情况,但至少现在我知道出了什么问题!
1 个解决方案
解决方案1
0 2010-04-02 21:46:34
It seems like you have to enable Apache to use PAM authentication. 似乎您必须启用Apache才能使用PAM身份验证。 Take a look at this site: http://www.debianhelp.co.uk/apachepam.htm 看看这个网站: http : //www.debianhelp.co.uk/apachepam.htm
You might want to take a look at this site too : http://inming.net/?p=86 您可能也想看看这个站点: http : //inming.net/?p=86
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.