Replacement for php5-auth-pam to authenticate website login against local users

Question

I am working on a login for a PHP-based website where users should be successfully logged in if they enter a valid username and password for a local account on the system. Looking around, it seems like the traditional way of doing this was by using the PHP PAM module.

Unfortunately, it looks like this module is now deprecated and I am no longer able to install it with apt-get install php5-pam-auth in Ubuntu Server 14.04. I was able to forcefully install it with pecl install pam, but even then it still doesn't work because using it requires a call-time pass by reference like this:

if ( pam_auth( $uname, $pswd, &$error ) ) {
    echo "You are authenticated!"
}

...which results in PHP complaining that call-time pass by reference is also deprecated:

[Fri Jul 24 01:25:35.788680 2015] [:error] [pid 25328] [client xx.xxx.xx.xx:1179] PHP Fatal error:  Call-time pass-by-reference has been removed in /var/www/academies/phptest/login.php on line 7, referer: http://<domain>:81/phptest/

Is there an updated or alternative way to do this? I did find this answer to a similar question but I couldn't get the C code to compile; it gave me the following error:

pam.c: In function ‘authenticate’:
pam.c:63:9: error: expected declaration or statement at end of input
         return ( retval == PAM_SUCCESS ? 0:1 );
         ^

According to phpinfo(), I am running PHP version 5.5.9-1ubuntu4.11.

Answer 1

I disagree with the decision to depreciate php-auth-pam although I can understand why they did. There a number of challenges to integrating php and pam, including that php is often linked to your webserver which may or may not be multithreaded (and handling multiple threads with pam may be problematic), php tends to have a very high hit rate (where pam assumes a low hit rate) and php pam solutions do not scale well (although they may be useful in some applications.

With this change there are basically three classes of solutions to your difficulty. From least recommended they are:

1. write your own.
2. use a helper process.
3. bypass pam.

Writing your own has all the challenges I already mentioned, without the experience gained so far. The helper process separates pam and php into separate processes which reduces many of the challenges to manageable levels, but adds IPC. The most common solution is to have both php and the operating system authenticate against the same database such as ldap or a sql database like mysql or postgres. Modules are readily available to do this.

The only other solution is to not authenticate in php but in the server (pam auth modules are available for apache) or another method (cgi, and mod_perl can both do pam authentication but passing the session back and forth is interesting to say the least.)

In your case I would recommend a helper process. (apache has an easy way to do this without getting php involved.)