auth_pam_set_pam_env
The `auth_pam_set_pam_env` directive enables the export of NGINX variables to the PAM environment during authentication.
Description
The auth_pam_set_pam_env directive is used within the context of NGINX's PAM authentication mechanism to specify whether environment variables from NGINX should be passed to the PAM stack during user authentication. When this directive is set to 'on', the module exports the HOST and REQUEST variables, allowing PAM modules to access information about the incoming request. This can be particularly useful for modules that require context about the incoming request to make authentication decisions, such as using pam_exec.so to execute custom scripts that validate user access based on request details.
The directive's parameter is a boolean flag and can be set to either 'on' or 'off'. By default, if not explicitly set, the flag is off, which means that the PAM environment will not receive NGINX's variables. Users should consider the implications of exporting these variables for security and performance, as exposing more information to authentication mechanisms can potentially increase the attack surface. The directive can be placed in http, server, location, or limit_except contexts and allows for flexible configurations depending on the organization’s authentication needs.
Config Example
location /pam_exec_protected {
auth_pam "Exec Zone";
auth_pam_service_name "nginx_exec";
auth_pam_set_pam_env on;
}Remember to check PAM modules' permissions as they must have the right access without root privileges.
Make sure that environment variables do not expose sensitive information or create security vulnerabilities.
If PAM environment variables are not needed, it is advisable to keep this directive set to 'off' for performance and security reasons.