Apache 2 and HTTP Authentication with PAM

There are 2 ways(at least that I know of) to get Apache 2 to use PAM for http auth:

• Old mod_auth_pam, which I believe is not developed anymore and also posses some security risks
• Newer mod_authnz_external and pwauth

This little write up shows how to get Apache and PAM going on Ubuntu using the mod_authnz_external.
To get started, let’s install some packages:

sudo apt-get install libapache2-mod-authnz-external pwauth
sudo apt-get install libapache2-mod-authz-unixgroup
sudo a2enmod authnz_external authz_unixgroup


Edit config file for the Virtual Host you’d like to get them PAM-based HTTP Authentication going, such that it contains the following clause:


<IfModule mod_authnz_external.c>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
</IfModule>


And the final bit of configuration goes to your Directory definition inside of vhost block:

<Directory /var/www/yourlocation>
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider external
AuthExternal pwauth
Require user john

# some other configuration statements
</Directory>


This will allow user john to access the resource.

Now if you also want to have PAM authentication by users group you’ll need to make few extra steps. Missing bit of puzzle here is called ‘unixgroup’ script and for some reason it is not in Ubuntu’s pwauth package where it ought to be. You will need to grab it from here and copy it over to /usr/sbin/unixgroup and make it executable. Here is a quick snippet to do that:


wget "http://pwauth.googlecode.com/files/pwauth-2.3.9.tar.gz"
tar xzvf ./pwauth-2.3.9.tar.gz
sudo cp pwauth-2.3.9/unixgroup /usr/sbin/
sudo chmod a+x /usr/sbin/unixgroup


Once that’s done, you’ll need to few more lines to you Virtual Host config, so it will look something like this:

<IfModule mod_authnz_external.c>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
AddExternalGroup unixgroup /usr/sbin/unixgroup
SetExternalGroupMethod unixgroup environment
</IfModule>

<Directory /var/www/yourlocation>
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider external
AuthExternal pwauth
GroupExternal unixgroup
Require user john# some other configuration statements
</Directory>


Hopefully this is helpful to someone besides myself Let me know if you got stock somewhere along the way.