HowTo: Apache-2.2 mod_authn_pam on Debian Etch

Print Friendly, PDF & Email

Starting in Apache version 2.2 there is a major change to the authentication and authorization layout. There are considerable differences in module names and directives which will most likely render your AuthBasic schemes useless and require a bit of proverbial poking. One of these is mod_auth_pam . In the Debian Linux distribution there is unfortunately no easy or more importantly stable way to proceed with this that doesn’t involve disabling most of Apache’s new feature sets. This is where mod_authn_pam comes in. It has been around for a while but still hasn’t made it’s way into the Debian package repositories.

This HowTo will describe the method of grabbing and installing the module from a CVS checkout from Source Forge.

First of all there are a few deps which are needed on Debian in order to build the module.

# aptitude install libtool automake autoconf libapr1-dev apache2-prefork-dev

The next step is to checkout the sources from CVS to a build directory. Just hit enter when asked for a password.

# cd /usr/local/src
# cvs -d:pserver:anonymous@mod-auth.cvs.sourceforge.net:/cvsroot/mod-auth login
# cvs -z3 -d:pserver:anonymous@mod-auth.cvs.sourceforge.net:/cvsroot/mod-auth co -P mod_authn_pam
# cd mod_authn_pam

Next step is to regenerate the necessary autoconf/automake scripts. The order here is important.

# libtoolize --force --copy
# aclocal
# autoheader
# automake --add-missing
# autoconf

Now we generate the Makefile using information from apr/apxs to ensure the module will play nice with the Debian Apache installation. Note: this command is one line.

# CFLAGS="-I/usr/include/apr-1.0 `/usr/bin/apr-config --cppflags --cflags`" ./configure --with-apxs=/usr/bin/apxs2

This should hopefully not complain about any missing deps and generate our Makefile. At which point we can happily run:

# make && make install

You should now have /usr/lib/apache2/modules/mod_authn_pam.so in place.

Next is to apply a configuration to Apache so you can use the module.

Create a LoadModule directive in the location Apache expects it.

# echo "LoadModule authn_pam_module /usr/lib/apache2/modules/mod_authn_pam.so" >/etc/apache2/mods-available/authn_pam.load

Enable the module.

# a2enmod authn_pam
# /etc/init.d/apache2 force-reload

Just make sure now that Apache is still working! ;-)

You should now be in a position to create some usable configuration. Below is an example of a Location which uses Apache basic pam authentication. The important thing is to set the correct Auth provider.

<Location /private>
AuthType Basic
AuthName "This is a private area"
AuthBasicProvider pam
Require valid-user
</Location>

It is sometimes handy, as mod_authn_pam (AutheNtication not AuthoriZation) does not provide group access rights, to add a another module into the stack. You don’t need to put any users in the userfile but Apache will complain if you do not add it. You could alternatively set the AuthUserFile to /dev/null if you never intend to use it.

<Location /private>
AuthType Basic
AuthName "This is a private area"
AuthBasicProvider file pam
AuthUserFile /path/to/userfile
AuthGroupFile /path/to/groupfile
Require group private
</Location>

Your /etc/pam.d/apache configuration file can contain any external mechanisms. However, do not bother trying to add Unix auth. This is because pam is executed as the Apache run time user, in this case www-data, so there will be problems when /etc/shadow is read to check the password. I recommend combining this with something like libpam-heimdal or winbind. There are some instructions for getting winbind and samba working on this blog.