Using PAM (Pluggable Authentication Modules) for Browser Authentication
Login using Web Browsers
For CLI and GUI commands, the user is already authenticated by the operating system login, and VOV programs are run as the logged-in user.
The vovserver program natively supports HTTP for VOV's
browser-based user interface. When a browser connects to the vovserver, the user may wish to authenticate as one other than the
user running the browser program on the remote host. Also, remote users can have
complete administrative control of the host where the browser runs, and be spoofing
another user's login name. Hence, VOV asks for a username and password, and uses
these to authenticate the user on the host where the vovserver
runs.
Once a user has authenticated with a given login name, their VOV privilege level with respect to VOV operations is determined by the security.tcl configuration file for that vovserver. Please refer to VOV Security.
Authentication Mechanisms
The vovserver is a PAM-aware application: its authentication may
be changed without recompiling the program. On Linux and MacOS-X, the
vovserver uses vovpamauth which in turn uses
PAM to authenticate users.
On other platforms, vovserver uses the regular
crypt() method to accept the provided password.
Authentication Control
# force PAM to be used when available
set config(enablePam) 1% vovproject enable some-ft-project
% vovsh -x 'puts [vtk_server_config enablepam 1]'# Example of a vovauth file. Only the auth part is required.
auth sufficient pam_rootok.so
auth required pam_opendirectory.so