Apache pwauth

From openSUSE

Reasons to be using pwauth

You should consider using pwauth if you want to Autheticate / Authorize of your web pages via unix password (shadow) files. There are security considerations which you should investigate (else where). In my case, the web page is only locally accessible and not in a high security environment so it was enough for me.

Getting the pieces

On top of a working apache2 environment, you will need the following packages from openSUSE-11.0-Apache-Modules:

• apache2-mod_authnz_external - Apache External Authentication Modules
• pwauth - A Unix Web Authenticator

Installation

In YAST:

• I added the repository: http://download.opensuse.org/repositories/Apache%3a/Modules/Apache_openSUSE_11.0/

• Then installed both packages.

Post Installation

make sure pwauth is setuid root:

chmod 4755 /usr/bin/pwauth

make sure your version of pwauth works:

sudo -u wwwrun pwauth ; echo $?
<username>
<password>

If your output looks like this:

server:~ # sudo -u wwwrun pwauth ; echo $?
50
server:~ #

Then you got a broken version of pwauth, you need to download sources edit the file config.h and change the line 241 from

#define SERVER_UIDS 72		/* user "nobody" */

to

#define SERVER_UIDS 30		/* user "wwwrun" */

do make, copy pwauth to /usr/bin/ start again...

Configuration

/etc/apache/default-server.conf

at bottom add:

AddExternalAuth pwauth /usr/bin/pwauth
SetExternalAuthMethod pwauth pipe
AddExternalGroup unixgroup /usr/bin/unixgroup
SetExternalGroupMethod unixgroup environment

in section <Directory "/srv/www/htdocs"> set

AllowOverride All

Of course this is overkill and should be only be those values you actually need! RTFM, this is only a quick start...

Load the new modules

With Yast2->System->/etc/sysconfig Editor, search for APACHE_MODULES.

Replace all auth_xxx modules with the following list:

auth_sys_group authnz_external auth_basic authz_host

Alternatively try this (I had the error: couldn't check access. No groups file and auth_sys_group is not installed with the above modules):

authz_user authnz_external auth_basic authz_host

the .htaccess file

In order to protect a directory you need to place a .htaccess file in it. The file should look as follows:

AuthType Basic
AuthName mailarchive
AuthBasicProvider external
AuthExternal pwauth
GroupExternal unixgroup
Require valid-user
Require group mailarchive

This does the following:

1. The standard username / password prompt is pop-up'ed.
2. the password is for resource mailarchive (as defined in AuthName)
3. The username / password is authenticated against unix username/passwd
4. The user is authorized with the group mailarchive (as defined in Require group mailarchive)

So what does all this mean? Well...

Any linux user who is added to the group "mailarchive" can access this directory!

Passed QA check: Fsundermeyer 14:00, 15 June 2009 (UTC)