Monday, February 28, 2011

Web authentication (Apache server) using system users


If you intend to use the Apache Web server and you are looking for a simple and robust authentication mechanism based on OS authentication mechanism the Apache mod_auth_externet (Apache2  mod_authnz_external) module is a good solution.
The OS authentication mechanism means authenticate against the shadow file of your linux OS, where all users are in a central system.
This article will provide you with an installation procedure for Ubuntu and OpenSuse, to get mod_authnz_external running with pwauth and PAM authentication.
I tested using Ubuntu 10.04 with Apache 2.2.14 and OpenSuse 11.3 with Apache 2.2.15. Also Ubuntu 10.1 0 I think should have the same behavior like 10.04 regarding web authentication using mod_authnz_external.

You can download the source code of the mod_auth_external from the official web site: http://code.google.com/p/mod-auth-external
 Make sure that you are using the correct version of mod_auth_external for you version of Apache:
    Apache 2.2:     mod_authnz_external-3.1.x or mod_authnz_external-3.2.x
    Apache 2.0:     mod_auth_external-2.2.x
    Apache 1.3:     mod_auth_external-2.1.x
As you can see the Apach 2.2 which is usually installed on the newest Linux distro (Ubuntu 10.04 and OpenSuse 11.3) use mod_authnz_external.
You can get Apache version:
        OpenSuse:   httpd2 -v
        Ubuntu:       apache2 –v

Install mod_auth_external

On Ubuntu I build the module from source code. Please read the helpful instructions from the mod_auth_extrernal page.

On Suse I installed the mod_auth_extrernal using Yast tool from the next repository:
http://download.opensuse.org/repositories/Apache:/Modules/openSUSE_11.3

Also using YaST tool the mod_authnz_extrernal module should be loaded by Apache server:
     -Start YaST/ System/ sysconfig Editor
     - Select Network, WWW, Apache2.
    - Highlight APACHE_MODULES. Add authnz_extern into the Modules line. Note: Don’t hand-edit dav_svn into /etc/apache2/sysconfig.d/loadmodule.conf, as YaST will just remove it next time it runs.
(http://www.sheepdogit.com/2007/02/24/configuring-apache-using-yast-opensuse-102/)

Install pwauth

Pwauth tool is a good solution to check the given system user and password.
On Ubuntu pwauth could be found on the default repository, just using:
apt-get install pwauth

On Suse the repository used for mod_autnx_extern contain the pwauth tool too.
Also on Suse server the access rights should be cheange for  pwauth tool:
chmod 4755 /usr/bin/pwauth

As soon as the pwauth is installed it could be tested as follow:
Run "pwauth", than type a user and a password.  Than type "echo $?" . If return 0 the user and password is correct. Returning 1 means invalid user or password.
If  a pwauth test doen’t work for a valid user and password, the pwauth PAM system should be configure. The PAM rules for pwauth could be configured on  /etc/pam.d/pwauthfile. If this file doesn’t exist itr should be created. I tested using the same rules as /etc/pam.d/login files.
Nou you can retest running pwauth tool.
Configure Apache Server

On Ubuntu I created a configuration file for authnz_external module: /etc/apache2/modules-available/authnz_external.conf and a symbolic link to this file inside /etc/apache2/mods-enabled. This is the mechanism of loading and configure modules of Apache 2.2 on Ubuntu. Now we should edit this configuration file.

On Suse we should edit /etc/apache2/httpd.conf file.

So we should add the next commands:

AddExternalAuth pwauth_auth /usr/local/bin/pwauth
SetExternalAuthMethod pwauth_auth pipe

<Directory "/path/to/www">
    AuthType Basic
    AuthBasicProvider external
    AuthExternal pwauth_auth
    AuthName "this text will be display on auth box"
    Require valid-user
</Directory>

For more details please read the mod_auth_external page.