One consequence of the server outage was that I could finally justify the time to solve an irritating Apache authentication problem. In fact, I had to solve the problem, because I needed to log in to our control panels. (I really love our new control panels, but I wrote them, so I should. I’ll release a new version Real Soon Now. Don’t bother looking for the old version – it’s horribly out-of-date.)
The solution had two parts, both related to changes in the Authentication and Access Control of Apache httpd 2.2. In summary, it seems that there are now mod_auth modules which direct authentication (authn) modules and authorisation (authz) or access control modules, and there are some authnz modules which can do both parts.
So, the solution: Firstly, mod_authnz_external has become an easier way to do PAM authentication than getting mod_auth_pam
to work with the new system. (As an alternative, I could have authenticated directly against the SQL database used by the control panel, but it seems neater to do all authentication through PAM.) So, the modules enabled were auth_basic, authn_file, authz_groupfile, authz_host and authnz_external, but it still gave an error message.
Secondly, I found a blog post about the no groups file? error I got then, which suggested re-enabling mod_authz_user. That cured the error, although I don’t yet understand why. The error and the solution don’t seem particularly related. But it works!
The above took me about 3 hours of researching, installing, configuring and testing to get working. My guess that it was an awkward job was right. I think TTLLP control panel customers will be glad they’re not paying all of that!
Hi Chaps,
I’m a home computer user,(Windows XP-Pro) and Secunia PSI, checks all my drivers and progs and reports those ‘insecure.’
Apache 2 is the only one so listed. I’ve d/loaded Apache 2.2 and tried to install it, but all it does is sit next to the present installation and does nothing! I have no idea how to use it and wonder if you can tell me whether I even need it. I do not have a website. I’d be much obliged if anyone could walk me through my dilemma, preferably in plain English.
Thank you,
Chas. K.
Well, Apache 2 (which usually means Apache httpd 2) is a webserver – it’s a program for sending web pages to web browsers.
If you’re a home computer user and especially if you don’t have a website, you probably don’t need it installed. I’d use its Uninstall command in the menu, or use the Add/Remove Programs tool to remove it – and I’d also see if I could find out who installed Apache 2 on my computer!
Apache 2 isn’t usually insecure, so I suspect Secunia PSI (which I’ve never heard of before, so I could be wrong) just doesn’t know it and is labelling anything it doesn’t know as “insecure”. However, if you’ve no particular reason to run it, then don’t run server software.
Hope that helps! I’ve not used Windows much for years, so follow the above advice at your own risk! I’ll ask a friend who knows more about Windows to take a look at this comment and let me know if I’ve made a serious mistake.
Dear MJ Ray,
I’m much obliged to you for taking the time to reply to my post. It would appear that I have installed the App. in a general package of Nvidia supplied progs! However, in a ‘belt and braces’ approach, I’ll hold on Sir, before I remove it, to see if anything your friend has to say advises against.
Once more, I’m much obliged to you for your time and advice,
Chas. Kearney.
You better use mod_authn_sasl. This module can do PAM authentication (among others, like e.g. IMAP) but without giving read access to the shadow file. The apache user should not have read access to the /etc/shadow: If your server gets hacked you don’t want the intruder to start password cracking.
On the Debian install libapache2-mod-authn-sasl and read /usr/share/doc/libapache2-mod-authn-sasl/README.Debian. It is really easy to setup following this information.
Regards, Adrian.