Replacement for php5-auth-pam to authenticate website login against local users












2















I am working on a login for a PHP-based website where users should be successfully logged in if they enter a valid username and password for a local account on the system. Looking around, it seems like the traditional way of doing this was by using the PHP PAM module.



Unfortunately, it looks like this module is now deprecated and I am no longer able to install it with apt-get install php5-pam-auth in Ubuntu Server 14.04. I was able to forcefully install it with pecl install pam, but even then it still doesn't work because using it requires a call-time pass by reference like this:



if ( pam_auth( $uname, $pswd, &$error ) ) {
echo "You are authenticated!"
}


...which results in PHP complaining that call-time pass by reference is also deprecated:



[Fri Jul 24 01:25:35.788680 2015] [:error] [pid 25328] [client xx.xxx.xx.xx:1179] PHP Fatal error:  Call-time pass-by-reference has been removed in /var/www/academies/phptest/login.php on line 7, referer: http://<domain>:81/phptest/


Is there an updated or alternative way to do this? I did find this answer to a similar question but I couldn't get the C code to compile; it gave me the following error:



pam.c: In function ‘authenticate’:
pam.c:63:9: error: expected declaration or statement at end of input
return ( retval == PAM_SUCCESS ? 0:1 );
^


According to phpinfo(), I am running PHP version 5.5.9-1ubuntu4.11.










share|improve this question





























    2















    I am working on a login for a PHP-based website where users should be successfully logged in if they enter a valid username and password for a local account on the system. Looking around, it seems like the traditional way of doing this was by using the PHP PAM module.



    Unfortunately, it looks like this module is now deprecated and I am no longer able to install it with apt-get install php5-pam-auth in Ubuntu Server 14.04. I was able to forcefully install it with pecl install pam, but even then it still doesn't work because using it requires a call-time pass by reference like this:



    if ( pam_auth( $uname, $pswd, &$error ) ) {
    echo "You are authenticated!"
    }


    ...which results in PHP complaining that call-time pass by reference is also deprecated:



    [Fri Jul 24 01:25:35.788680 2015] [:error] [pid 25328] [client xx.xxx.xx.xx:1179] PHP Fatal error:  Call-time pass-by-reference has been removed in /var/www/academies/phptest/login.php on line 7, referer: http://<domain>:81/phptest/


    Is there an updated or alternative way to do this? I did find this answer to a similar question but I couldn't get the C code to compile; it gave me the following error:



    pam.c: In function ‘authenticate’:
    pam.c:63:9: error: expected declaration or statement at end of input
    return ( retval == PAM_SUCCESS ? 0:1 );
    ^


    According to phpinfo(), I am running PHP version 5.5.9-1ubuntu4.11.










    share|improve this question



























      2












      2








      2








      I am working on a login for a PHP-based website where users should be successfully logged in if they enter a valid username and password for a local account on the system. Looking around, it seems like the traditional way of doing this was by using the PHP PAM module.



      Unfortunately, it looks like this module is now deprecated and I am no longer able to install it with apt-get install php5-pam-auth in Ubuntu Server 14.04. I was able to forcefully install it with pecl install pam, but even then it still doesn't work because using it requires a call-time pass by reference like this:



      if ( pam_auth( $uname, $pswd, &$error ) ) {
      echo "You are authenticated!"
      }


      ...which results in PHP complaining that call-time pass by reference is also deprecated:



      [Fri Jul 24 01:25:35.788680 2015] [:error] [pid 25328] [client xx.xxx.xx.xx:1179] PHP Fatal error:  Call-time pass-by-reference has been removed in /var/www/academies/phptest/login.php on line 7, referer: http://<domain>:81/phptest/


      Is there an updated or alternative way to do this? I did find this answer to a similar question but I couldn't get the C code to compile; it gave me the following error:



      pam.c: In function ‘authenticate’:
      pam.c:63:9: error: expected declaration or statement at end of input
      return ( retval == PAM_SUCCESS ? 0:1 );
      ^


      According to phpinfo(), I am running PHP version 5.5.9-1ubuntu4.11.










      share|improve this question
















      I am working on a login for a PHP-based website where users should be successfully logged in if they enter a valid username and password for a local account on the system. Looking around, it seems like the traditional way of doing this was by using the PHP PAM module.



      Unfortunately, it looks like this module is now deprecated and I am no longer able to install it with apt-get install php5-pam-auth in Ubuntu Server 14.04. I was able to forcefully install it with pecl install pam, but even then it still doesn't work because using it requires a call-time pass by reference like this:



      if ( pam_auth( $uname, $pswd, &$error ) ) {
      echo "You are authenticated!"
      }


      ...which results in PHP complaining that call-time pass by reference is also deprecated:



      [Fri Jul 24 01:25:35.788680 2015] [:error] [pid 25328] [client xx.xxx.xx.xx:1179] PHP Fatal error:  Call-time pass-by-reference has been removed in /var/www/academies/phptest/login.php on line 7, referer: http://<domain>:81/phptest/


      Is there an updated or alternative way to do this? I did find this answer to a similar question but I couldn't get the C code to compile; it gave me the following error:



      pam.c: In function ‘authenticate’:
      pam.c:63:9: error: expected declaration or statement at end of input
      return ( retval == PAM_SUCCESS ? 0:1 );
      ^


      According to phpinfo(), I am running PHP version 5.5.9-1ubuntu4.11.







      ubuntu pam php5






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Apr 13 '17 at 12:36









      Community

      1




      1










      asked Jul 24 '15 at 1:31









      tlng05tlng05

      1214




      1214






















          1 Answer
          1






          active

          oldest

          votes


















          0














          I disagree with the decision to depreciate php-auth-pam although I can understand why they did. There a number of challenges to integrating php and pam, including that php is often linked to your webserver which may or may not be multithreaded (and handling multiple threads with pam may be problematic), php tends to have a very high hit rate (where pam assumes a low hit rate) and php pam solutions do not scale well (although they may be useful in some applications.



          With this change there are basically three classes of solutions to your difficulty. From least recommended they are:




          1. write your own.

          2. use a helper process.

          3. bypass pam.


          Writing your own has all the challenges I already mentioned, without the experience gained so far. The helper process separates pam and php into separate processes which reduces many of the challenges to manageable levels, but adds IPC. The most common solution is to have both php and the operating system authenticate against the same database such as ldap or a sql database like mysql or postgres. Modules are readily available to do this.



          The only other solution is to not authenticate in php but in the server (pam auth modules are available for apache) or another method (cgi, and mod_perl can both do pam authentication but passing the session back and forth is interesting to say the least.)



          In your case I would recommend a helper process. (apache has an easy way to do this without getting php involved.)






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "106"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f218042%2freplacement-for-php5-auth-pam-to-authenticate-website-login-against-local-users%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            I disagree with the decision to depreciate php-auth-pam although I can understand why they did. There a number of challenges to integrating php and pam, including that php is often linked to your webserver which may or may not be multithreaded (and handling multiple threads with pam may be problematic), php tends to have a very high hit rate (where pam assumes a low hit rate) and php pam solutions do not scale well (although they may be useful in some applications.



            With this change there are basically three classes of solutions to your difficulty. From least recommended they are:




            1. write your own.

            2. use a helper process.

            3. bypass pam.


            Writing your own has all the challenges I already mentioned, without the experience gained so far. The helper process separates pam and php into separate processes which reduces many of the challenges to manageable levels, but adds IPC. The most common solution is to have both php and the operating system authenticate against the same database such as ldap or a sql database like mysql or postgres. Modules are readily available to do this.



            The only other solution is to not authenticate in php but in the server (pam auth modules are available for apache) or another method (cgi, and mod_perl can both do pam authentication but passing the session back and forth is interesting to say the least.)



            In your case I would recommend a helper process. (apache has an easy way to do this without getting php involved.)






            share|improve this answer




























              0














              I disagree with the decision to depreciate php-auth-pam although I can understand why they did. There a number of challenges to integrating php and pam, including that php is often linked to your webserver which may or may not be multithreaded (and handling multiple threads with pam may be problematic), php tends to have a very high hit rate (where pam assumes a low hit rate) and php pam solutions do not scale well (although they may be useful in some applications.



              With this change there are basically three classes of solutions to your difficulty. From least recommended they are:




              1. write your own.

              2. use a helper process.

              3. bypass pam.


              Writing your own has all the challenges I already mentioned, without the experience gained so far. The helper process separates pam and php into separate processes which reduces many of the challenges to manageable levels, but adds IPC. The most common solution is to have both php and the operating system authenticate against the same database such as ldap or a sql database like mysql or postgres. Modules are readily available to do this.



              The only other solution is to not authenticate in php but in the server (pam auth modules are available for apache) or another method (cgi, and mod_perl can both do pam authentication but passing the session back and forth is interesting to say the least.)



              In your case I would recommend a helper process. (apache has an easy way to do this without getting php involved.)






              share|improve this answer


























                0












                0








                0







                I disagree with the decision to depreciate php-auth-pam although I can understand why they did. There a number of challenges to integrating php and pam, including that php is often linked to your webserver which may or may not be multithreaded (and handling multiple threads with pam may be problematic), php tends to have a very high hit rate (where pam assumes a low hit rate) and php pam solutions do not scale well (although they may be useful in some applications.



                With this change there are basically three classes of solutions to your difficulty. From least recommended they are:




                1. write your own.

                2. use a helper process.

                3. bypass pam.


                Writing your own has all the challenges I already mentioned, without the experience gained so far. The helper process separates pam and php into separate processes which reduces many of the challenges to manageable levels, but adds IPC. The most common solution is to have both php and the operating system authenticate against the same database such as ldap or a sql database like mysql or postgres. Modules are readily available to do this.



                The only other solution is to not authenticate in php but in the server (pam auth modules are available for apache) or another method (cgi, and mod_perl can both do pam authentication but passing the session back and forth is interesting to say the least.)



                In your case I would recommend a helper process. (apache has an easy way to do this without getting php involved.)






                share|improve this answer













                I disagree with the decision to depreciate php-auth-pam although I can understand why they did. There a number of challenges to integrating php and pam, including that php is often linked to your webserver which may or may not be multithreaded (and handling multiple threads with pam may be problematic), php tends to have a very high hit rate (where pam assumes a low hit rate) and php pam solutions do not scale well (although they may be useful in some applications.



                With this change there are basically three classes of solutions to your difficulty. From least recommended they are:




                1. write your own.

                2. use a helper process.

                3. bypass pam.


                Writing your own has all the challenges I already mentioned, without the experience gained so far. The helper process separates pam and php into separate processes which reduces many of the challenges to manageable levels, but adds IPC. The most common solution is to have both php and the operating system authenticate against the same database such as ldap or a sql database like mysql or postgres. Modules are readily available to do this.



                The only other solution is to not authenticate in php but in the server (pam auth modules are available for apache) or another method (cgi, and mod_perl can both do pam authentication but passing the session back and forth is interesting to say the least.)



                In your case I would recommend a helper process. (apache has an easy way to do this without getting php involved.)







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Jul 24 '15 at 3:12









                hildredhildred

                4,73622137




                4,73622137






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f218042%2freplacement-for-php5-auth-pam-to-authenticate-website-login-against-local-users%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    How to make a Squid Proxy server?

                    Is this a new Fibonacci Identity?

                    19世紀