Using PAM (Pluggable Authentication Modules) for Browser Authentication

Login using Web Browsers

For CLI and GUI commands, the user is already authenticated by the operating system login, and VOV programs are run as the logged-in user.

The vovserver program natively supports HTTP for VOV's browser-based user interface. When a browser connects to the vovserver, the user may wish to authenticate as one other than the user running the browser program on the remote host. Also, remote users can have complete administrative control of the host where the browser runs, and be spoofing another user's login name. Hence, VOV asks for a username and password, and uses these to authenticate the user on the host where the vovserver runs.

Once a user has authenticated with a given login name, their VOV privilege level with respect to VOV operations is determined by the security.tcl configuration file for that vovserver. Please refer to VOV Security.

Authentication Mechanisms

The vovserver is a PAM-aware application: its authentication may be changed without recompiling the program. On Linux and MacOS-X, the vovserver uses vovpamauth which in turn uses PAM to authenticate users.

On other platforms, vovserver uses the regular crypt() method to accept the provided password.

Authentication Control

# force PAM to be used when available
set config(enablePam) 1

% vovproject enable some-ft-project
% vovsh -x 'puts [vtk_server_config enablepam 1]'

# Example of a vovauth file.  Only the auth part is required.
auth       sufficient     pam_rootok.so 
auth       required       pam_opendirectory.so