Install and Configure Auth Shadow on Debian/Ubuntu 

Caveat

This method of installation and configuration works for me, using a combination of apt and building from source. Therefore, an easier method may exist. Always be sure to check the software you are installing from apt using

apt-cache showpkg pkgname

for version and dependencies. As usual, your mileage may vary and you proceed at your own risk.

Pre-reqs

You must have a working apache or apache2 installation and understand the concepts involved with restarting the server, enabling modules and the location and format of configuration files, e.g., httpd.conf or apache2.conf.

Background

Auth Shadow or mod-auth-shadow is a module for apache (and apache2, sort of) that enables authentication against /etc/shadow. The benefits being that any system user with a password can be authenticated for web_dav, subversion or simply an https server. The only other way to do this is with PAM. That method is dangerous because the apache user (www-data in my case) must be able to read /etc/shadow. Obviously, not a good idea. Auth Shadow accomplishes this safely by using a intermediate program called validate. This works because validate can be owned by root but executable by everyone. In the event that your server is compromised through apache, your password file will not be readable.

Installation

Officially, mod-auth-shadow only exists for apache and not for apache2. I was not willing to accept this. I will demonstrate the installation on debian/ubuntu using apt for apache. For apache2, I had to find a build of the module for x86. This presents two problems. First, the newest version has not yet been built and second, the version that has been built (in an .rpm file) contains a bug in the "validate" program causing uid errors.

Download - Apache2 only

Download the rpm for your architecture from rpmfind.net - downloads.

Download the latest source code (for compiling validate) from sourceforge here.

Install module

Apache:

sudo apt-get install libapache-mod-auth-shadow

Apache2:

In order to install a module from an .rpm, you must install alien.

sudo apt-get install alien

From here you can install the rpm by doing

sudo alien -i packagename.rpm

Compile Validate - Apache2 only

In the directory containing the source for mod-auth-shadow compile with

sudo make validate
sudo cp validate /usr/sbin

This must be done as root because the permissions are changed.

Loading the Auth Shadow Module

Apache should be handled automatically by apt-get install.

Apache2 requires us to

sudo a2enmod auth_shadow

Configuring Apache(2)

Wherever your configurations for directory, location or virtual
hosts is, try modifying the following configuration to fit your needs.
Only the basic requirements are included in this example.

In addition, I would not recommend using AuthType Basic without
ssl because the passwords will be sent in plaintext.

<Location /path/toauthenticate>
AuthType Basic
AuthShadow on
AuthName "Secure Login against User Passwords"
Require user system-username
#Require user valid-user
Order allow,deny
Allow from all
</Location>
Share this page:

3 Comment(s)