Mod_authnz_external and pam authentication

Hi,

We’re trying to use radius/pam for our authentication to Open Ondemand.

Both mod_authnz_external and mod_autnz_pam modules are loaded.

The pwauth command with the pam module works to authentifcate users correctly.

What exactly should the authnz_external.conf and authnz_pam.conf look like?
What exactly should the auth: config in ood-portal.yml look like?

It seems like it might work for the first location, but then it appears to re-ask for the credentials for for every page element without passing the credentials on.

Does Open Ondemand even support this type of authentication?

thanks,
-k

We’re running Rocky8 and OOD 3.1 for more info.

thanks!

Additional info:

Following Randall White’s example in 3.1 we’re seeing that ood will start ngnix processes as the user:
fernsler 3597 0.0 0.0 366808 13228 ? Ssl 11:41 0:00 Passenger watchdog
fernsler 3600 0.0 0.0 1418368 15196 ? Sl 11:41 0:00 Passenger core
root 3616 0.0 0.0 91792 2564 ? Ss 11:41 0:00 nginx: master process (fernsler) -c /var/lib/ondemand-nginx/config/puns/fernsler.conf
fernsler 3620 0.0 0.0 105928 7332 ? S 11:41 0:00 nginx: worker process
fernsler 4121 2.6 0.2 361992 91560 ? Sl 11:49 0:01 Passenger RubyApp: /var/www/ood/apps/sys/dashboard (production)
root 4209 0.0 0.0 221948 1208 pts/0 S+ 11:50 0:00 grep --color=auto fernsler

But seems to want to re-authenticate on every subsequent page element:

relevant log excerpt:
[Mon May 06 11:49:29.311342 2024] [lua:info] [pid 3835:tid 140102021490432] [client 131.243.153.150:51411] log_time=“2024-05-06T18:49:29.311265.0Z” res_content_encoding=“” req_accept_language=“en-us,en;q=0.5” req_user_agent=“Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0” req_status=“304” req_origin=“” local_user=“fernsler” req_server_name=“hpcs-oodev8.lbl.gov” req_cache_control=“” req_port=“443” res_content_location=“” res_content_type=“” res_location=“” req_handler=“proxy-server” req_accept_charset=“” log_hook=“ood” req_is_https=“true” req_user_ip=“131.243.153.150” remote_user=“fernsler” allowed_hosts=“10.0.2.4,128.3.7.247,hpcs-oodev8.lbl.gov” req_content_type=“” req_uri=“/pun/sys/dashboard/assets/pinned_apps-95c603b0cc05dad1a3e420b7ced9d8e2a926cd68ea8c86eb31bbb3d1b685ada1.js” req_referer=“https://hpcs-oodev8.lbl.gov/pun/sys/dashboard” req_accept_encoding=“gzip, deflate, br” req_method=“GET” res_content_disp=“” req_filename=“proxy:http://localhost/pun/sys/dashboard/assets/pinned_apps-95c603b0cc05dad1a3e420b7ced9d8e2a926cd68ea8c86eb31bbb3d1b685ada1.js” req_is_websocket=“false” res_content_language=“” time_proxy=“0.599” time_user_map=“0.002” req_hostname=“hpcs-oodev8.lbl.gov” res_content_length=“” req_protocol=“HTTP/1.1” req_accept=“/”, referer: https://hpcs-oodev8.lbl.gov/pun/sys/dashboard
[Mon May 06 11:49:29.979320 2024] [authnz_pam:warn] [pid 3836:tid 140101749298944] [client 131.243.153.150:51409] PAM authentication failed for user fernsler: Authentication failure, referer: https://hpcs-oodev8.lbl.gov/pun/sys/dashboard
[Mon May 06 11:49:29.979847 2024] [auth_basic:error] [pid 3836:tid 140101749298944] [client 131.243.153.150:51409] AH01617: user fernsler: authentication failure for “/pun/sys/dashboard/assets/dashboard-42b56f7f42474effe1e8f2d4fa0300bf463bed5d4eec7db1c70badde9070c077.js”: Password Mismatch, referer: https://hpcs-oodev8.lbl.gov/pun/sys/dashboard
[Mon May 06 11:49:30.631362 2024] [authnz_pam:warn] [pid 3835:tid 140102013097728] [client 131.243.153.150:51410] PAM authentication failed for user fernsler: Authentication failure, referer: https://hpcs-oodev8.lbl.gov/pun/sys/dashboard
[Mon May 06 11:49:30.632094 2024] [auth_basic:error] [pid 3835:tid 140102013097728] [client 131.243.153.150:51410] AH01617: user fernsler: authentication failure for “/pun/sys/dashboard/assets/OpenOnDemand_powered_by_RGB-cb3aad5ff5350c7994f250fb334ddcc72e343233ce99eb71fda93beddd76a847.svg”: Password Mismatch, referer: https://hpcs-oodev8.lbl.gov/pun/sys/dashboard

Are we just missing an apache directive here or something else?

thanks for any insights,
-k

Hello! I apologize for the delayed reply to this question, I’ve been doing some reading to try to catch up with where you’re at. We generally don’t do support for authentication solutions outside of what we show in the Docs, and we’ve officially decided to not include PAM in our documentation: rm docs on PAM and leave it to the reader by johrstrom · Pull Request #691 · OSC/ood-documentation · GitHub

However, we do have an ongoing conversation about setting up PAM (and why we do not recommend it) with OnDemand here: Can OOD auth be handled by PAM?.

Yea the question is really more Does apache support this authentication method. It’s likely that it does as you mention the mods.

That we don't support it is a strong phrase here - we discourage it’s use. It’s really quite insecure.

That said - if you can share the auth section of your ood_portal.yml we can take a look in replicating to see what your issue may be.

Googling httpd mod_authnz_external Password Mismatch does return some results - so that may be helpful to you as well.

Hrandquist and Jeff,

Thanks for your reponses. I agree after messing around with this for awhile the question is really more about apache. If mod_authnz is completely off the table, please allow me to explain what we need and see if there is a way to accomplish it.

We need to do radius authentication. I have started looking at the LDAP and ondemand dex support for authentication with Open Ondememand, but is there a way to do that with radius/OTP ?

thanks,
-k

This is the first time I’ve ever heard of Radius, so you may find more by googling more than I did -

But I’ve found that there is a mod_auth_raduis for apache, but apparently it’s not distributed to your OS (or any for that matter). So you likely need to build the .so binaries from the source, then you can enable/configure it just like any other apache module.

I found these oracle docs for the same:

I found that this may be the source code - other links I’ve found, like the one in the Oracle docs, I’m hesitant to click because I don’t know where/what they are.I assume it’s the source code, but does not seem to be maintained. Last commits were 3 years ago and it seems to have been active 9 years ago.

Ok, thanks! I’ll give that a try.

-k