[Libwebsockets] PAM authentication for http sessions

Andy Green andy at warmcat.com
Tue Sep 4 07:41:31 CEST 2018



On 09/04/2018 01:25 PM, Necktwi Ozfguah wrote:
>> On 04-Sep-2018, at 9:19 AM, Necktwi Ozfguah <necktwi at ferryfair.com 

>>     AFAIK I don't have any use for PAM + lws.
>>
>>     What would you actually use it for?

> I am running a hobby web server. I want my web users to use the linux 
> login credentials. Of course lws and PAM are independent. Thank you.

It's probably not a good idea to do that... unless perhaps they're 
logging into a server that is running on the same box, like cups does it.

If you're running TLS / SSL, then Basic Auth is pretty easy to use.

You maintain a text file in a dir that isn't served anywhere over http. 
It contains credentials one per line in the format

name:password

Then you just point .basic_auth_login_file on the the mount you want to 
be protected to the filepath on the server with the credentials

See the related minimal example

https://libwebsockets.org/git/libwebsockets/tree/minimal-examples/http-server/minimal-http-server-basicauth

However you really shouldn't put the PAM credentials in the basic auth 
file... it's too easy for some user who gets their browser to remember 
their login for your site to leak a perfectly usable PAM login then...

-Andy



More information about the Libwebsockets mailing list