Cacti/Ubuntu/PAM
**EDIT, don’t use this :) I am pretty sure it’s not working properly, see previous edit, I am running out of time today to fix it. If I don’t get it right soon, I am going to take this down till I do get it working right**
**EDIT: I am not convinced the auth takes place before the rewrite to SSL, I am looking at that now **
So…you want to use PAM to do authentication for Cacti over SSL? Sweet, here is how. (These directions are for Ubuntu, but could probably be extrapolated to other distros).
First, install mod_ssl (This is something separate that I am not going over here, it’s pretty straight forward).
Now, install mod_auth_pam
apt-get install libapache2-mod-auth-pam
And add the apache user to the shadow group
usermod -G shadow www-data
At this point, www-data can talk to PAM for authentication.
Now we need to force SSL so that our communication with the server is encrypted:
vi /etc/apache2/sites-available/default
Adding this to the file (in the < virtualhost *:80> section):
RewriteEngine on
RewriteCond %{REQUEST_URI} ^\/cacti\/.*
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R=301]
Now, reload Apache
/etc/init.d/apache2 reload
There, now visit http://yoursite.com/cacti. It should reroute you to https, and the login page of Cacti. Login, and go to settings (in the lower left hand corner). Then click the ‘authentication’ tab. The first config param should be a checkbox with ‘ Use Cacti’s Builtin Authentication’ checked. Uncheck that. Now, anyone can get into your Cacti install! Wooo! Actually, let’s fix that.
Open the apache conf file for cacti:
vi /etc/apache2/conf.d/cacti.conf
And add these lines (after the Alias directive):
<location /> AuthType Basic AuthName "Cacti" Require valid-user < /location>
Reload apache, and go back to the url. It should prompt you for your username/password (this will be your system username/password).
That is all.
(note, in < /location> and < virtualhost> there is a space after the < symbol…wordpress keeps doing weird things. Take that space out)