If you intend to use the Apache Web server and you are looking for a simple and robust authentication mechanism based on OS authentication mechanism the Apache mod_auth_externet (Apache2 mod_authnz_external) module is a good solution.
The OS authentication mechanism means authenticate against the shadow file of your linux OS, where all users are in a central system.
This article will provide you with an installation procedure for Ubuntu and OpenSuse, to get mod_authnz_external running with pwauth and PAM authentication.
I tested using Ubuntu 10.04 with Apache 2.2.14 and OpenSuse 11.3 with Apache 2.2.15. Also Ubuntu 10.1 0 I think should have the same behavior like 10.04 regarding web authentication using mod_authnz_external.
You can download the source code of the mod_auth_external from the official web site: http://code.google.com/p/mod-auth-external
Make sure that you are using the correct version of mod_auth_external for you version of Apache:
Apache 2.2: mod_authnz_external-3.1.x or mod_authnz_external-3.2.x
Apache 2.0: mod_auth_external-2.2.x
Apache 1.3: mod_auth_external-2.1.x
As you can see the Apach 2.2 which is usually installed on the newest Linux distro (Ubuntu 10.04 and OpenSuse 11.3) use mod_authnz_external.
You can get Apache version:
OpenSuse: httpd2 -v
Ubuntu: apache2 –v
Install mod_auth_external
On Ubuntu I build the module from source code. Please read the helpful instructions from the mod_auth_extrernal page.
On Suse I installed the mod_auth_extrernal using Yast tool from the next repository:
http://download.opensuse.org/repositories/Apache:/Modules/openSUSE_11.3
Also using YaST tool the mod_authnz_extrernal module should be loaded by Apache server:
-Start YaST/ System/ sysconfig Editor
- Select Network, WWW, Apache2.
- Highlight APACHE_MODULES. Add authnz_extern into the Modules line. Note: Don’t hand-edit dav_svn into /etc/apache2/sysconfig.d/loadmodule.conf, as YaST will just remove it next time it runs.
(http://www.sheepdogit.com/2007/02/24/configuring-apache-using-yast-opensuse-102/)
Install pwauth
Pwauth tool is a good solution to check the given system user and password.
On Ubuntu pwauth could be found on the default repository, just using:
On Suse the repository used for mod_autnx_extern contain the pwauth tool too.
Also on Suse server the access rights should be cheange for pwauth tool:
As soon as the pwauth is installed it could be tested as follow:
Run "pwauth", than type a user and a password. Than type "echo $?" . If return 0 the user and password is correct. Returning 1 means invalid user or password.
If a pwauth test doen’t work for a valid user and password, the pwauth PAM system should be configure. The PAM rules for pwauth could be configured on /etc/pam.d/pwauthfile. If this file doesn’t exist itr should be created. I tested using the same rules as /etc/pam.d/login files.
Nou you can retest running pwauth tool.
Configure Apache ServerOn Ubuntu pwauth could be found on the default repository, just using:
apt-get install pwauth
On Suse the repository used for mod_autnx_extern contain the pwauth tool too.
Also on Suse server the access rights should be cheange for pwauth tool:
chmod 4755 /usr/bin/pwauth
As soon as the pwauth is installed it could be tested as follow:
Run "pwauth", than type a user and a password. Than type "echo $?" . If return 0 the user and password is correct. Returning 1 means invalid user or password.
If a pwauth test doen’t work for a valid user and password, the pwauth PAM system should be configure. The PAM rules for pwauth could be configured on /etc/pam.d/pwauthfile. If this file doesn’t exist itr should be created. I tested using the same rules as /etc/pam.d/login files.
Nou you can retest running pwauth tool.
On Ubuntu I created a configuration file for authnz_external module: /etc/apache2/modules-available/authnz_external.conf and a symbolic link to this file inside /etc/apache2/mods-enabled. This is the mechanism of loading and configure modules of Apache 2.2 on Ubuntu. Now we should edit this configuration file.
On Suse we should edit /etc/apache2/httpd.conf file.
So we should add the next commands:
AddExternalAuth pwauth_auth /usr/local/bin/pwauth
SetExternalAuthMethod pwauth_auth pipe
<Directory "/path/to/www">
AuthType Basic
AuthBasicProvider external
AuthExternal pwauth_auth
AuthName "this text will be display on auth box"
Require valid-user
</Directory>
For more details please read the mod_auth_external page.
No comments:
Post a Comment