libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Bug #130099 reported by Anders Wallenquist
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libapache2-mod-auth-pam (Debian)
Fix Released
Unknown
libapache2-mod-auth-pam (Ubuntu)
Won't Fix
High
Unassigned

Bug Description

Binary package hint: libapache2-mod-auth-pam

Reported to Debian
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=394097

Since the auth mechanisms were changed in Apache 2.1 this module does
not work any more. It probably should be replaced by mod_authn_pam
available at http://mod-auth.sourceforge.net/docs/mod_authn_pam/

I think its importent to change package for pam authentication in Ubuntu as soon as possible

Revision history for this message
Anders Wallenquist (aw) wrote :

This is a work-a-round which some times get this to work

       <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all

                AuthType Basic
                AuthPAM_Enabled on
                AuthBasicAuthoritative Off
                AuthName "Barney-servern"
                Require valid-user
        </Directory>

Changed in libapache2-mod-auth-pam:
status: Unknown → New
Revision history for this message
Martin Albisetti (beuno) wrote :

In adition to adding "AuthBasicAuthoritative Off", you have to do the following:

- Add www-data to the shadow group (usermod -G shadow www-data)
- Symlink /etc/pam.d/apache2 to /etc/pam.d/httpd, as that's what Apache2 looks for (ln -s /etc/pam.d/apache2 /etc/pam.d/httpd)

This is a workaround, obviously this should be fixed :D

Changed in libapache2-mod-auth-pam:
status: New → Confirmed
Changed in libapache2-mod-auth-pam:
importance: Undecided → High
Revision history for this message
Luis Bruno (lbruno) wrote :

Dunno about previous versions, but for Hardy you only need to add www-data to group shadow for the snippet above to work.

I'm subscribed to this bug; if needed, I can post my config details.

Revision history for this message
Anders Wallenquist (aw) wrote :

This is still a problem in Karmic package libapache2-mod-auth-pam version 1.1.1-6.1ubuntu2

I have done a work-a-round in post-install, adding www-data to the shadow-group. You have still to set AuthBasicAuthoritative Off.

A debdiff attached

Revision history for this message
Chuck Short (zulcss) wrote :

This workaround makes me nervous whats the implications of adding www-data to the shadow group?

Regards
chuck

Revision history for this message
Luis Bruno (lbruno) wrote : Re: [Bug 130099] Re: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Chuck Short wrote escreveu:
> This workaround makes me nervous whats the implications of adding www-
> data to the shadow group?

Too d*mn many. But how else would an Apache module authenticate against
PAM? It's all a bunch of libraries anyway.

I'd prefer something like saslauthd: a single piece of code that has
shadow access. Then you'd open a socket to that daemon and authenticate
 from there.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

No, we are _not_ going to add www-data to the shadow group. Doing so has major security implications.

libapache2-mod-auth-pam is no longer being maintained and should be removed from karmic.

Use libapache2-mod-authnz-external instead.

Revision history for this message
Anders Wallenquist (aw) wrote :

libapache2-mod-authnz-external does not support pam-authentication out of the box any more, you have to write your own plugin or fetch external code.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The pam authenticator is called pwauth, and there's a package for it in karmic.

Revision history for this message
Chuck Short (zulcss) wrote :

Im marking this as wont fix, based on comments from Marc.

Regards
chuck

Changed in libapache2-mod-auth-pam (Ubuntu):
status: Confirmed → Won't Fix
Changed in libapache2-mod-auth-pam (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.