Install and Configure Auth Shadow on Debian/Ubuntu

Want to support HowtoForge? Become a subscriber!
 
Submitted by Thanatos (Contact Author) (Forums) on Sun, 2007-02-04 20:19. :: Debian | Linux | Ubuntu | Apache | Security

Install and Configure Auth Shadow on Debian/Ubuntu 

Caveat

This method of installation and configuration works for me, using a combination of apt and building from source. Therefore, an easier method may exist. Always be sure to check the software you are installing from apt using

apt-cache showpkg pkgname

for version and dependencies. As usual, your mileage may vary and you proceed at your own risk.

Pre-reqs

You must have a working apache or apache2 installation and understand the concepts involved with restarting the server, enabling modules and the location and format of configuration files, e.g., httpd.conf or apache2.conf.

Background

Auth Shadow or mod-auth-shadow is a module for apache (and apache2, sort of) that enables authentication against /etc/shadow. The benefits being that any system user with a password can be authenticated for web_dav, subversion or simply an https server. The only other way to do this is with PAM. That method is dangerous because the apache user (www-data in my case) must be able to read /etc/shadow. Obviously, not a good idea. Auth Shadow accomplishes this safely by using a intermediate program called validate. This works because validate can be owned by root but executable by everyone. In the event that your server is compromised through apache, your password file will not be readable.

Installation

Officially, mod-auth-shadow only exists for apache and not for apache2. I was not willing to accept this. I will demonstrate the installation on debian/ubuntu using apt for apache. For apache2, I had to find a build of the module for x86. This presents two problems. First, the newest version has not yet been built and second, the version that has been built (in an .rpm file) contains a bug in the "validate" program causing uid errors.

Download - Apache2 only

Download the rpm for your architecture from rpmfind.net - downloads.

Download the latest source code (for compiling validate) from sourceforge here.

Install module

Apache:

sudo apt-get install libapache-mod-auth-shadow

Apache2:

In order to install a module from an .rpm, you must install alien.

sudo apt-get install alien

From here you can install the rpm by doing

sudo alien -i packagename.rpm

Compile Validate - Apache2 only

In the directory containing the source for mod-auth-shadow compile with

sudo make validate

sudo cp validate /usr/sbin

This must be done as root because the permissions are changed.

Loading the Auth Shadow Module

Apache should be handled automatically by apt-get install.

Apache2 requires us to

sudo a2enmod auth_shadow

Configuring Apache(2)

Wherever your configurations for directory, location or virtual
hosts is, try modifying the following configuration to fit your needs.
Only the basic requirements are included in this example.

In addition, I would not recommend using AuthType Basic without
ssl because the passwords will be sent in plaintext.

<Location /path/toauthenticate>
AuthType Basic
AuthShadow on
AuthName "Secure Login against User Passwords"
Require user system-username
#Require user valid-user
Order allow,deny
Allow from all
</Location>


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by bgmilne (registered user) on Tue, 2007-02-27 12:59.

The only other way to do this is with PAM. That method is dangerous because the apache user (www-data in my case) must be able to read /etc/shadow.

I don't know about Debian, but under most distributions, it is safe to authenticate against /etc/shadow using pam_unix, since there is a setuid wrapper which validates access from pam_unix running as non-root and allows the checking of one user's password (no read access to passwords is provided).

This seems to be a better solution than what you have described is done by mod_auth_shadow (and used by many more applications than just apache), but your description is not comprehensive ("owned by root" is insufficient to provide access to /etc/shadow, I assume you actually mean setuid root). As such, I think a more comprehensive (and accurate regarding setuid, and mechanisms in place to prevent abuse) discussion of the security differences would be in order, if you propose this as a more secure solution than mod_auth_external and PAM.

Submitted by Thanatos (not registered) on Wed, 2009-04-22 20:30.
Your statement is not correct. This method does not require access to the /etc/shadow file for www-data. It uses an intermediary script to authenticate the user.
Submitted by jeoffw (registered user) on Wed, 2007-05-16 13:47.

The comment about using PAM got my hopes up, but alas. The mod_auth_pam documentation says that apache still requires read-access to the shadow file when using pam_unix: http://pam.sourceforge.net/mod_auth_pam/shadow.html