[BlueOnyx:19643] Re: pwauth on 5209R - fixed

Michael Stauber mstauber at blueonyx.it
Thu Jun 2 16:50:55 -05 2016 

Hi Maurice,

> Clearly, pwauth is not working as it should.
> Can someone explain to me what is wrong here?

Yeah, I just looked into it. It was horribly broken. Many thanks for
reporting this!

When I built 5209R I gave this functionality a quick test, as I wasn't
sure if the mechanism we used on Apache 2.2 on 5208R would work on
5209R, too.

I then found out that we had to update mod_authnz_external to version
3.3.2 to get that module to work with Apache 2.4. With that in place
.htaccess password protection worked back then.

Now? It's broken as you said. I did some debugging and it's a
complicated mess:

Our .htaccess password protection mechanism relies on a two part solution:

- Apache module mod_authnz_external
- /usr/bin/checker /usr/bin/checker_group

The first is just an Apache module that allows to do authentication via
several externalized means. We configured it to use /usr/bin/checker and
/usr/bin/checker_group, which we provided as part of our custom
mod_authnz_external. These Perl scripts use Authen::PAM to do a PAM
authentication.

That authentication via Authen::PAM is no longer working. I use the same
exact code on 5208R, where it works flawlessly. On 5209R? It doesn't.
I'm not even sure what changed there. Either Authen::PAM is broken and
has changed in unknown ways, or PAM is throwing a wrench into it. I
threw lots of debugging at it, but to no avail.

After pulling what's left of my hair I just went back and published an
update that replaces /usr/bin/checker and /usr/bin/checker_group with
the respective binaries from the proven "pwauth" RPM off Epel. Because
these work and provide the same functionality.

So please do a "yum update" on your 5209R and it'll pull an updated
mod_authnz_external and will also install the now required "pwauth" RPM
off the BlueOnyx YUM repository.

With that in place password auth via .htaccess should work exactly as
before.

The documentation at /root/PAM_AUTH_EXTERNAL.READ-ME has the following
(working) examples in it at the end:

.htaccess usage examples:

1) Basic configuration for *any* valid system users:

        AuthAuthoritative on
        AuthType Basic
        AuthName Your_Eyes_only
        AuthExternal pwauth
        require valid-user

2) Only allow 1 specific user to authenticate

        AuthAuthoritative on
        AuthType Basic
        AuthName Your_Eyes_only
        AuthExternal pwauth
        require valid-user USERNAME_HERE

3) Allow group authentication for all users of group "site1":

        AuthAuthoritative on
        AuthType Basic
        AuthName Your_Eyes_only
        AuthExternal pwauth
        GroupExternal unixgroup
        require group site1

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list