As of December 23rd, 2004, RCI and Eden have changed the way users
authenticate (that is, login) on web-based services. (Logging in
through SSH, SFTP, or e-mail clients other than webmail has not been
affected.) This page is for the more advanced users who may have
created .htaccess files on their accounts to control access to certain
web pages.
In brief, for those who care, we moved from using the mod_auth_radius
module with our Apache web servers to using mod_auth_pam instead.
In order to provide continued service, we made changes in any users'
.htaccess files that used Radius. If you maintain another copy of
your .htaccess file else (for example, on a desktop computer), you
should make these changes yourself to that copy.
Changes Made
- Removing mod_auth_radius
directives:
Remove or comment out lines that start with "AuthRadius", such
as
AuthRadiusAuthoriative
- Adding mod_auth_pam directives:
Insert the following lines to enable
mod_auth_pam:
AuthPAM_Enabled
on
AuthPAM_FallThrough
off
With just these two lines, it defaults to allowing only the users that
exist on the local system (for example, eden [the New
Brunswick/Piscataway student system], but not clam or pegasus
[the Camden and Newark student systems, respectively] nor the various
faculty/staff systems). To allow all faculty/staff, all students,
or everyone (all faculty/staff and
students) to authenticate, add the following
line:
AuthPam_Service
REALM
where REALM
is either
- facstaff
- student
or
- combined
On RCI, all .htaccess files we changed
had AuthPam_Service facstaff added to them, as we could not
tell if the account holder wanted all faculty/staff, or just those who
actually had RCI accounts, to have access to the pages. Those who
wish only RCI account holders to have access should remove this line
from their RCI .htaccess files. (On Eden, we left the AuthPam_Service line off, so
that only Eden account holders will have access to the pages using
these directives, since we could not imagine a situation where someone
currently intended all Rutgers students on all campus, and only those
students, to have access.)
Problems That May Exist
There are few changes to the syntax and behavior with this
change.
- NetIDs in the form
netid@rci
netid@rci-secure
netid@eden
will not work anymore.
Users can only enter
netid
If a user has an account on both RCI and Eden, and the service uses the
combined realm (for example, most University-wide services, such as
class rosters or transcripts), the RCI password must be used.
- If a user has an Enigma or Safeword one-time-password card for
the system, the password generated by that card will be used.
Remember to use "save" and a space before the password, when using
one-time
passwords, to avoid having to type in a new password for each new page.
Since the RCI password takes precedence (as said in the item above),
someone who needs a one-time password for RCI but not for Eden must
still use the one-time password for any service using the combined
realms.
- Use in a .htaccess file of
AuthRadiusAuthoriative and
and a list
of users is specified in
AuthUserFile filename
will no longer work. The account holder needs to put the list of
authorized users in the .htaccess file itself
by replacing
require valid-user
with
require user netid
This line can
be repeated as many time as
needed, one line per NetID that should have
access. Or you can use multiple NetIDs on one line, in the form
require user netid1 netid2
netid3 netid4
...
with spaces only between the NetIDs.
Please direct all questions to help@rci
or help@eden.