Invalid AuthExternal keyword (pwauth)

I'm trying to setup basic authentication on my Apache2 server using AuthExternal and pwauth. Thus using the system users to perform the authentication rather than another user db.

I could install and enable everything seamlessly. Apache2 (2.4.12-2ubuntu2 ), libapache2-mod-authnz-external (3.3.2-0.1) and pwauth (2.3.11-0.1). It's all running on my Ubuntu 15.10 Desktop edition and Linux 4.2.0-30-generic. Nothing fancy really, all standard willy repo installs.

Apache2 is running and the AuthExternal module is loaded correctly, at least as far as I can tell:

me@bla:~$ systemctl status apache2.service | grep Active Active: active (running) since Thu 2016-02-25 13:41:02 CET; 33s ago
me@bla:~$ apache2ctl -M | grep external authnz_external_module (shared)

I have defined the modules to be used as well as the Derictory to which to apply the authentication in the VHost config file. See my /etc/apache2/sites-enabled/000-default.conf below:

<IfModule mod_authnz_external.c> AddExternalAuth pwauth /usr/sbin/pwauth SetExternalAuthMethod pwauth pipe
</IfModule>
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined <Directory /var/www/html/sec> AuthType Basic AuthName "Restricted Area" AuthBasicProvider external AuthExternal pwauth Require user pat </Directory>
</VirtualHost>

Now, when I try to open loclahost/sec in a browser I'm prompted to log in. I provide pat as a user and his password and wait for the magic to happen. Unfortunately I get a internal server error rather than the expected index.html 'Hello World'....

So I checked the apache2 error logs and found 'Invalid AuthExternal keyword (pwauth)' in there. After some digging I came to realize, that this error is raised by AuthExternal because it can't find the specified pwauth. So I went and checked that by running:

sudo -u www-data which pwauth

That returned the same path as specified in the above config file, so that can be excluded....

I then tried to redirect AuthExternal to a shell script to test the module independently of pwauth. The script simply appends a string to a files for me to see if it's being called by AuthExternal or not. I ran 'chmod u+s a+x' on the file to allow it to run with root privilege, as pwauth needs that to access passwd, and gave it another try. I also tried the same without u+s as it's not needed here but that didn't went any better. This test lead me to think, that there is something wrong with my apache2 and not pwauth.

I tested all of that with Cromium and Firefox, not that it matters int his case, but you know... one can never be sure enough, right? I also tried all variations I could think of with respect to where I was putting the directives. All directly in the appache2.conf, the directory in appache2.conf and the module inclusion in ./conf-enable/security.conf, modules in security and directory in the vhost, etc... None of these variations helped, some made it worst though...

I then did a lot of googling.... But I could only find information with respect to this topic from the httpd.conf era which doesn't really apply anymore. Even if it still provides some valid and useful hints... In addition, most, if not all of those threads use a .htaccess approach. Which I'm trying to avoid by using the Directory directives in order to avoid the performance lack induced by .htaccess.

Anyhow, I'm out of ideas as of where to look or what to try. I'm turning in circles to be honest and would appreciate any hint, ideas or solutions to get me further.

2 Answers

Turns out, the AddExternalAuth and SetExternalAuthMethod must be placed within the VirtualHost declaration. Hence the following config works just fine:

<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined AddExternalAuth pwauth /usr/sbin/pwauth SetExternalAuthMethod pwauth pipe <Directory /var/www/html/sec> AuthType Basic AuthName "Restricted Area" AuthBasicProvider external AuthExternal pwauth Require user pat </Directory>
</VirtualHost>

I still do not understand why the scenario in which the declaration is done globally, hence directly in apache2.conf, doesn't work. Nonetheless, the initial issue is solved....

1

Things seem to be different between apache versions. For apache2.4 the GitHub for mod-auth-external led me to the right path.

  1. In apache2.conf create the authentication method (here: checkEtcPasswd):

    <IfModule mod_authnz_external.c> DefineExternalAuth checkEtcPasswd pipe /usr/sbin/pwauth # AddExternalAuth pwauth /usr/sbin/pwauth # SetExternalAuthMethod pwauth pipe
    </IfModule>
  2. Refer this authenticator in the block:

    AuthType Basic
    AuthName "Your AuthName"
    AuthBasicProvider external
    AuthExternal checkEtcPasswd
    Require valid-user

That's it. Easy, if you know it...

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like