There are 2 ways(at least that I know of) to get Apache 2 to use PAM for http auth:
- Old mod_auth_pam, which I believe is not developed anymore and also posses some security risks
- Newer mod_authnz_external and pwauth
This little write up shows how to get Apache and PAM going on Ubuntu using the mod_authnz_external.
To get started, let’s install some packages:
sudo apt-get install libapache2-mod-authnz-external pwauth
sudo apt-get install libapache2-mod-authz-unixgroup
sudo a2enmod authnz_external authz_unixgroup
Edit config file for the Virtual Host you’d like to get them PAM-based HTTP Authentication going, such that it contains the following clause:
<IfModule mod_authnz_external.c>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
</IfModule>
And the final bit of configuration goes to your Directory definition inside of vhost block:
<Directory /var/www/yourlocation>
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider external
AuthExternal pwauth
Require user john
# some other configuration statements
</Directory>
This will allow user john to access the resource.
Now if you also want to have PAM authentication by users group you’ll need to make few extra steps. Missing bit of puzzle here is called ‘unixgroup’ script and for some reason it is not in Ubuntu’s pwauth package where it ought to be. You will need to grab it from here and copy it over to /usr/sbin/unixgroup and make it executable. Here is a quick snippet to do that:
wget "http://pwauth.googlecode.com/files/pwauth-2.3.9.tar.gz"
tar xzvf ./pwauth-2.3.9.tar.gz
sudo cp pwauth-2.3.9/unixgroup /usr/sbin/
sudo chmod a+x /usr/sbin/unixgroup
Once that’s done, you’ll need to few more lines to you Virtual Host config, so it will look something like this:
<IfModule mod_authnz_external.c>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
AddExternalGroup unixgroup /usr/sbin/unixgroup
SetExternalGroupMethod unixgroup environment
</IfModule>
<Directory /var/www/yourlocation>
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider external
AuthExternal pwauth
GroupExternal unixgroup
Require user john# some other configuration statements
</Directory>
Hopefully this is helpful to someone besides myself Let me know if you got stock somewhere along the way.
Thank you, this was very helpful.
Pingback: Security for Ubuntu 12.04 and ISPConfig | Linux Master
Wow what a slick and elegant how-to. Thank you very much, you’ve been of great help.
Thank you very much. But when you want to use groups you should configure:
require group teachers
/axel
Pingback: Apache 2 and HTTP Authentication with PAM | Jerry's Home
Pingback: 使用 PAM 作為 Apache Basic 驗證 | ATI的硬體&攝影網誌
Hi, thx very much for that tutorial. I am using it on my linux machine. Since then I am very happy for not having two password stores.
But this PAM module is damn slowly when loading directory listing compared to htpasswd-files…any solution/improvemts?
Hi there,
To be honest I haven’t really encountered any dramatic slowdown compared to straight up htpasswd file, but I didn’t use this solution on any heavy load systems either. I remember seeing another approach to this using perl module of a sort, but I can’t remember know what it was called.
Thank you, good explanation. I used yours for my raspberry server and owncloud.
But don’t forget to have NCSD running
Name Service Cache Daemon service
This caches the authentications on the server (server-side). Otherwise, pam auth is rather slow (especially when navigating through folder indexes) because un-passwd check is performed for each access (done in background by your browser/client-side).
When I use
require group
I get this error
AH00526: Syntax error on line 84 of /etc/apache2/httpd.conf:
Unknown Authz provider: group
Action ‘configtest’ failed.
Did the mod_authnz_external installed successfully?
Never knew of mod_authnz_external. That’s perfect. Thank you!
Pingback: Ubuntu:Providing HTTPS access to multi-user SFTP server – Ubuntu Linux Questions
Hello,
The group version does not work for me.
I have the following error message in apache2′s error.log :
AH01664: No group file was specified in the configuration
Have you some ideas ?
Thanks
Found the solution, the syntax is :
Require unix-group GROUPNAME
and not require group GROUPNAME.
Nice and simple way of explaining. Kudos to your way of writing
The google repo for unixgroup is no longer available; use https://github.com/phokz/pwauth/blob/master/pwauth/unixgroup
Hi,
thanks for this HowTo. It saved my day after a complete server crash and rebuild. Prior to this rebuild we have used Apache 2.2 and the old config did not work with 2.4. An updated version with PAM also did not work. Now everything is back on track. We use it for authentication to our SVN repositories.
click for info
https://www.123movies.rest/series/ – sci-fi movies 123movies, watch free sci-fi movies