PAM authentication for PHPBB2

Overview

This package adds support for PAM authentication to PHPBB.

Adding support for PAM has been split into 2 stages:

1. Generic authentication layer has been separated. This allows adding more authentication modules than just PAM. Default module providing current authentication scheme has been added (authentication using MD5-hashed passwords stored in database).
2. Authentication module for PAM has been added.

PAM authentication works in the following way:

• User can register only by passing valid PAM password during registration.
• User can later login only using PAM password.
• Some functionality which does not make sense with PAM has been disabled, i.e. sending password, activation and changing password.

Patches are for phpBB version 2.0.18 (clean installation).
They might not work with earlier versions or when other modifications are applied.

Installation

Download modification tarball and unpack it.

1. Go to pam_auth_helper/ directory.
2. Run "make"
3. Login as root (type "su")
4. Run "make install"
5. If you use PAM modules which require root privileges (for example shadow passwords authentication) you must make helper application SUID root. This is security risk. If you want to do it anyway, run "make suid".
6. Exit root console ("exit").
7. Go to phpBB main directory.
8. Apply first patch (it adds authentication layer support), using command:
   patch -p1 <phpBB2-authentication-modules-separation.diff
9. Then apply patch which adds PAM authentication module (and sets it as default authentication module to use):
   patch -p1 <phpBB2-authentication-module-pam.diff
10. If you use Polish language, apply patch for Polish messages:
    patch -p1 <phpBB2-polish-language-authentication-strings.diff
    Otherwise, you must modify phpBB2/language/lang_YOUR_LANGUAGE/lang_main.php yourself - see patch for Polish language for strings which must be translated and phpBB2/language/lang_english/lang_main.php for meaning of strings (they are at the bottom). English strings are already added, so you don't need to do anything if you use English language in your forum.
    

IMPORTANT: When PAM authentication is used, autologin feature should be
disabled. Otherwise users with disabled accounts can still use forums
using session cookie. Autologin can be disabled in forum settings.

PAM authentication uses by default "login" service. To change it,
edit includes/authentication_pam_helper.php file and change
$pam_service variable.

NOTE 1: If you want to switch back to standard authentication (using
database), uncomment line:
$used_authentication_module = $standard_db_auth_module;
and comment out line:
$used_authentication_module = $pam_helper_auth_module;

NOTE 2: Remember that after you switch to PAM module, your administrator
account must have the same name as user name used in PAM in order to log in.
In case of trouble switch back to standard authentication, add administrator
account with proper name and re-enable PAM authentication.

Creating other authentication modules

Other authentication modules than PAM can be created. Module must support
quite simple interface. See code for details. Note the switches which
disable some functionality which does not make sense with some kinds of
authentication.

NOTE: Setting password functionality has not been tested apart from standard
database authentication module.

PAM authentication is done using helper application which is simple
modification of Squid authentication helper application. It should be
straightforward to modify other Squid helpers to get other kinds of
authentication (for example NTLM).

Disclaimer

This code has not been security audited. Use at your own risk.

Author

Krzysztof Lichota <krzysiek-phpbb@lichota.net>