Using PAM (Pluggable Authentication Modules) for Browser Authentication

Login using Web Browsers

For CLI and GUI commands, the user is already authenticated by the operating system login, and VOV programs are run as the logged-in user.

The vovserver program natively supports HTTP for VOV's browser-based user interface. When a browser connects to the vovserver, the user may wish to authenticate as one other than the user running the browser program on the remote host. Also, remote users can have complete administrative control of the host where the browser runs, and be spoofing another user's login name. Hence, VOV asks for a username and password, and uses these to authenticate the user on the host where the vovserver runs.

Once a user has authenticated with a given login name, their VOV privilege level with respect to VOV operations is determined by the security.tcl configuration file for that vovserver. Please refer to VOV Security.

Authentication Mechanisms

The vovserver is a PAM-aware application: its authentication may be changed without recompiling the program. On Linux and MacOS-X, the vovserver uses vovpamauth which in turn uses PAM to authenticate users.

On other platforms, vovserver uses the regular crypt() method to accept the provided password.

Authentication Control

To enable or disable PAM, you can do so with the variable config(enablePam) in the policy.tcl file.
# force PAM to be used when available
set config(enablePam) 1
Alternatively, you can control the use of PAM with vovsh and vtk_server_config. You must select which vovserver to act on by using the vovproject enable command first.
% vovproject enable some-ft-project
% vovsh -x 'puts [vtk_server_config enablepam 1]'
Note: When PAM is enabled, the vovpamauth program scans, at startup, the directory /etc/pam.d, searching in order for files named 'vovauth', 'ftauth', 'system-auth', and 'su'.
The first one found determines the PAM service name used by the vovpamauth.
# Example of a vovauth file.  Only the auth part is required.
auth       sufficient 
auth       required