Replacement for php5-auth-pam to authenticate website login against local users
I am working on a login for a PHP-based website where users should be successfully logged in if they enter a valid username and password for a local account on the system. Looking around, it seems like the traditional way of doing this was by using the PHP PAM module.
Unfortunately, it looks like this module is now deprecated and I am no longer able to install it with apt-get install php5-pam-auth
in Ubuntu Server 14.04. I was able to forcefully install it with pecl install pam
, but even then it still doesn't work because using it requires a call-time pass by reference like this:
if ( pam_auth( $uname, $pswd, &$error ) ) {
echo "You are authenticated!"
}
...which results in PHP complaining that call-time pass by reference is also deprecated:
[Fri Jul 24 01:25:35.788680 2015] [:error] [pid 25328] [client xx.xxx.xx.xx:1179] PHP Fatal error: Call-time pass-by-reference has been removed in /var/www/academies/phptest/login.php on line 7, referer: http://<domain>:81/phptest/
Is there an updated or alternative way to do this? I did find this answer to a similar question but I couldn't get the C code to compile; it gave me the following error:
pam.c: In function ‘authenticate’:
pam.c:63:9: error: expected declaration or statement at end of input
return ( retval == PAM_SUCCESS ? 0:1 );
^
According to phpinfo()
, I am running PHP version 5.5.9-1ubuntu4.11
.
ubuntu pam php5
add a comment |
I am working on a login for a PHP-based website where users should be successfully logged in if they enter a valid username and password for a local account on the system. Looking around, it seems like the traditional way of doing this was by using the PHP PAM module.
Unfortunately, it looks like this module is now deprecated and I am no longer able to install it with apt-get install php5-pam-auth
in Ubuntu Server 14.04. I was able to forcefully install it with pecl install pam
, but even then it still doesn't work because using it requires a call-time pass by reference like this:
if ( pam_auth( $uname, $pswd, &$error ) ) {
echo "You are authenticated!"
}
...which results in PHP complaining that call-time pass by reference is also deprecated:
[Fri Jul 24 01:25:35.788680 2015] [:error] [pid 25328] [client xx.xxx.xx.xx:1179] PHP Fatal error: Call-time pass-by-reference has been removed in /var/www/academies/phptest/login.php on line 7, referer: http://<domain>:81/phptest/
Is there an updated or alternative way to do this? I did find this answer to a similar question but I couldn't get the C code to compile; it gave me the following error:
pam.c: In function ‘authenticate’:
pam.c:63:9: error: expected declaration or statement at end of input
return ( retval == PAM_SUCCESS ? 0:1 );
^
According to phpinfo()
, I am running PHP version 5.5.9-1ubuntu4.11
.
ubuntu pam php5
add a comment |
I am working on a login for a PHP-based website where users should be successfully logged in if they enter a valid username and password for a local account on the system. Looking around, it seems like the traditional way of doing this was by using the PHP PAM module.
Unfortunately, it looks like this module is now deprecated and I am no longer able to install it with apt-get install php5-pam-auth
in Ubuntu Server 14.04. I was able to forcefully install it with pecl install pam
, but even then it still doesn't work because using it requires a call-time pass by reference like this:
if ( pam_auth( $uname, $pswd, &$error ) ) {
echo "You are authenticated!"
}
...which results in PHP complaining that call-time pass by reference is also deprecated:
[Fri Jul 24 01:25:35.788680 2015] [:error] [pid 25328] [client xx.xxx.xx.xx:1179] PHP Fatal error: Call-time pass-by-reference has been removed in /var/www/academies/phptest/login.php on line 7, referer: http://<domain>:81/phptest/
Is there an updated or alternative way to do this? I did find this answer to a similar question but I couldn't get the C code to compile; it gave me the following error:
pam.c: In function ‘authenticate’:
pam.c:63:9: error: expected declaration or statement at end of input
return ( retval == PAM_SUCCESS ? 0:1 );
^
According to phpinfo()
, I am running PHP version 5.5.9-1ubuntu4.11
.
ubuntu pam php5
I am working on a login for a PHP-based website where users should be successfully logged in if they enter a valid username and password for a local account on the system. Looking around, it seems like the traditional way of doing this was by using the PHP PAM module.
Unfortunately, it looks like this module is now deprecated and I am no longer able to install it with apt-get install php5-pam-auth
in Ubuntu Server 14.04. I was able to forcefully install it with pecl install pam
, but even then it still doesn't work because using it requires a call-time pass by reference like this:
if ( pam_auth( $uname, $pswd, &$error ) ) {
echo "You are authenticated!"
}
...which results in PHP complaining that call-time pass by reference is also deprecated:
[Fri Jul 24 01:25:35.788680 2015] [:error] [pid 25328] [client xx.xxx.xx.xx:1179] PHP Fatal error: Call-time pass-by-reference has been removed in /var/www/academies/phptest/login.php on line 7, referer: http://<domain>:81/phptest/
Is there an updated or alternative way to do this? I did find this answer to a similar question but I couldn't get the C code to compile; it gave me the following error:
pam.c: In function ‘authenticate’:
pam.c:63:9: error: expected declaration or statement at end of input
return ( retval == PAM_SUCCESS ? 0:1 );
^
According to phpinfo()
, I am running PHP version 5.5.9-1ubuntu4.11
.
ubuntu pam php5
ubuntu pam php5
edited Apr 13 '17 at 12:36
Community♦
1
1
asked Jul 24 '15 at 1:31
tlng05tlng05
1214
1214
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I disagree with the decision to depreciate php-auth-pam although I can understand why they did. There a number of challenges to integrating php and pam, including that php is often linked to your webserver which may or may not be multithreaded (and handling multiple threads with pam may be problematic), php tends to have a very high hit rate (where pam assumes a low hit rate) and php pam solutions do not scale well (although they may be useful in some applications.
With this change there are basically three classes of solutions to your difficulty. From least recommended they are:
- write your own.
- use a helper process.
- bypass pam.
Writing your own has all the challenges I already mentioned, without the experience gained so far. The helper process separates pam and php into separate processes which reduces many of the challenges to manageable levels, but adds IPC. The most common solution is to have both php and the operating system authenticate against the same database such as ldap or a sql database like mysql or postgres. Modules are readily available to do this.
The only other solution is to not authenticate in php but in the server (pam auth modules are available for apache) or another method (cgi, and mod_perl can both do pam authentication but passing the session back and forth is interesting to say the least.)
In your case I would recommend a helper process. (apache has an easy way to do this without getting php involved.)
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f218042%2freplacement-for-php5-auth-pam-to-authenticate-website-login-against-local-users%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I disagree with the decision to depreciate php-auth-pam although I can understand why they did. There a number of challenges to integrating php and pam, including that php is often linked to your webserver which may or may not be multithreaded (and handling multiple threads with pam may be problematic), php tends to have a very high hit rate (where pam assumes a low hit rate) and php pam solutions do not scale well (although they may be useful in some applications.
With this change there are basically three classes of solutions to your difficulty. From least recommended they are:
- write your own.
- use a helper process.
- bypass pam.
Writing your own has all the challenges I already mentioned, without the experience gained so far. The helper process separates pam and php into separate processes which reduces many of the challenges to manageable levels, but adds IPC. The most common solution is to have both php and the operating system authenticate against the same database such as ldap or a sql database like mysql or postgres. Modules are readily available to do this.
The only other solution is to not authenticate in php but in the server (pam auth modules are available for apache) or another method (cgi, and mod_perl can both do pam authentication but passing the session back and forth is interesting to say the least.)
In your case I would recommend a helper process. (apache has an easy way to do this without getting php involved.)
add a comment |
I disagree with the decision to depreciate php-auth-pam although I can understand why they did. There a number of challenges to integrating php and pam, including that php is often linked to your webserver which may or may not be multithreaded (and handling multiple threads with pam may be problematic), php tends to have a very high hit rate (where pam assumes a low hit rate) and php pam solutions do not scale well (although they may be useful in some applications.
With this change there are basically three classes of solutions to your difficulty. From least recommended they are:
- write your own.
- use a helper process.
- bypass pam.
Writing your own has all the challenges I already mentioned, without the experience gained so far. The helper process separates pam and php into separate processes which reduces many of the challenges to manageable levels, but adds IPC. The most common solution is to have both php and the operating system authenticate against the same database such as ldap or a sql database like mysql or postgres. Modules are readily available to do this.
The only other solution is to not authenticate in php but in the server (pam auth modules are available for apache) or another method (cgi, and mod_perl can both do pam authentication but passing the session back and forth is interesting to say the least.)
In your case I would recommend a helper process. (apache has an easy way to do this without getting php involved.)
add a comment |
I disagree with the decision to depreciate php-auth-pam although I can understand why they did. There a number of challenges to integrating php and pam, including that php is often linked to your webserver which may or may not be multithreaded (and handling multiple threads with pam may be problematic), php tends to have a very high hit rate (where pam assumes a low hit rate) and php pam solutions do not scale well (although they may be useful in some applications.
With this change there are basically three classes of solutions to your difficulty. From least recommended they are:
- write your own.
- use a helper process.
- bypass pam.
Writing your own has all the challenges I already mentioned, without the experience gained so far. The helper process separates pam and php into separate processes which reduces many of the challenges to manageable levels, but adds IPC. The most common solution is to have both php and the operating system authenticate against the same database such as ldap or a sql database like mysql or postgres. Modules are readily available to do this.
The only other solution is to not authenticate in php but in the server (pam auth modules are available for apache) or another method (cgi, and mod_perl can both do pam authentication but passing the session back and forth is interesting to say the least.)
In your case I would recommend a helper process. (apache has an easy way to do this without getting php involved.)
I disagree with the decision to depreciate php-auth-pam although I can understand why they did. There a number of challenges to integrating php and pam, including that php is often linked to your webserver which may or may not be multithreaded (and handling multiple threads with pam may be problematic), php tends to have a very high hit rate (where pam assumes a low hit rate) and php pam solutions do not scale well (although they may be useful in some applications.
With this change there are basically three classes of solutions to your difficulty. From least recommended they are:
- write your own.
- use a helper process.
- bypass pam.
Writing your own has all the challenges I already mentioned, without the experience gained so far. The helper process separates pam and php into separate processes which reduces many of the challenges to manageable levels, but adds IPC. The most common solution is to have both php and the operating system authenticate against the same database such as ldap or a sql database like mysql or postgres. Modules are readily available to do this.
The only other solution is to not authenticate in php but in the server (pam auth modules are available for apache) or another method (cgi, and mod_perl can both do pam authentication but passing the session back and forth is interesting to say the least.)
In your case I would recommend a helper process. (apache has an easy way to do this without getting php involved.)
answered Jul 24 '15 at 3:12
hildredhildred
4,73622137
4,73622137
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f218042%2freplacement-for-php5-auth-pam-to-authenticate-website-login-against-local-users%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown