[BlueOnyx:19643] Re: pwauth on 5209R - fixed

Michael Stauber mstauber at blueonyx.it
Thu Jun 2 16:50:55 -05 2016

Hi Maurice,

> Clearly, pwauth is not working as it should.
> Can someone explain to me what is wrong here?

Yeah, I just looked into it. It was horribly broken. Many thanks for
reporting this!

When I built 5209R I gave this functionality a quick test, as I wasn't
sure if the mechanism we used on Apache 2.2 on 5208R would work on
5209R, too.

I then found out that we had to update mod_authnz_external to version
3.3.2 to get that module to work with Apache 2.4. With that in place
.htaccess password protection worked back then.

Now? It's broken as you said. I did some debugging and it's a
complicated mess:

Our .htaccess password protection mechanism relies on a two part solution:

- Apache module mod_authnz_external
- /usr/bin/checker /usr/bin/checker_group

The first is just an Apache module that allows to do authentication via
several externalized means. We configured it to use /usr/bin/checker and
/usr/bin/checker_group, which we provided as part of our custom
mod_authnz_external. These Perl scripts use Authen::PAM to do a PAM

That authentication via Authen::PAM is no longer working. I use the same
exact code on 5208R, where it works flawlessly. On 5209R? It doesn't.
I'm not even sure what changed there. Either Authen::PAM is broken and
has changed in unknown ways, or PAM is throwing a wrench into it. I
threw lots of debugging at it, but to no avail.

After pulling what's left of my hair I just went back and published an
update that replaces /usr/bin/checker and /usr/bin/checker_group with
the respective binaries from the proven "pwauth" RPM off Epel. Because
these work and provide the same functionality.

So please do a "yum update" on your 5209R and it'll pull an updated
mod_authnz_external and will also install the now required "pwauth" RPM
off the BlueOnyx YUM repository.

With that in place password auth via .htaccess should work exactly as

The documentation at /root/PAM_AUTH_EXTERNAL.READ-ME has the following
(working) examples in it at the end:

.htaccess usage examples:

1) Basic configuration for *any* valid system users:

        AuthAuthoritative on
        AuthType Basic
        AuthName Your_Eyes_only
        AuthExternal pwauth
        require valid-user

2) Only allow 1 specific user to authenticate

        AuthAuthoritative on
        AuthType Basic
        AuthName Your_Eyes_only
        AuthExternal pwauth
        require valid-user USERNAME_HERE

3) Allow group authentication for all users of group "site1":

        AuthAuthoritative on
        AuthType Basic
        AuthName Your_Eyes_only
        AuthExternal pwauth
        GroupExternal unixgroup
        require group site1

With best regards

Michael Stauber

More information about the Blueonyx mailing list