authnz_external_module and pwauth on CentOS 6.2 failure

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Install module 3.2.6 as described by documentation
2. Configure and install pwauth 2.3.10 for PAM authentication 
3. Configure httpd.conf as described by documentation

What is the expected output? What do you see instead?
pwauth works as expected when tested on command line but not through 
authnz_external_module
------------------------------------------------------------
[root@sbctos4 /]# sudo -u apache /usr/local/bin/pwauth
pwtest
m0d3xt3rn@l
[root@sbctos4 /]# echo $?
0
Using wrong name or password returns 1 as expected
-----------------------------------------------------------

What version of the product are you using? On what operating system?

[root@sbctos4 /]# httpd -v
Server version: Apache/2.2.15 (Unix)
Server built:   Feb 13 2012 22:31:42

[root@sbctos4 /]# uname -a
Linux sbctos4 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT 2011 x86_64 
x86_64 x86_64 GNU/Linux

authnz_external_module: 3.2.6
pwauth: 2.3.10

Please provide any additional information below.
Same configuration works on CentOS 5  (2.6.18-308.4.1.el5) but not on CentOS 6.2

CentOS 6.2 Configuration follows:
-----------------------------------------------------------------
-rwsr-xr-x. 1 root root 20382 Jun  9 17:29 /usr/local/bin/pwauth
-----------------------------------------------------------------
pwauth config.h and Makefile attached
/etc/pam.d/pwauth attached
/etc/httpd/conf/httpd.conf attached

Original issue reported on code.google.com by azo...@gmail.com on 10 Jun 2012 at 12:13

Attachments:

• config.h
• httpd.conf
• Makefile
• pwauth

[GoogleCodeExporter]

By the way, httpd error_log shows:
[Sat Jun 09 20:02:33 2012] [error] [client 192.168.0.129] AuthExtern pwauth 
[/usr/local/bin/pwauth]: Failed (1) for user pwtest
[Sat Jun 09 20:02:33 2012] [error] [client 192.168.0.129] user pwtest: 
authentication failure for "/": Password Mismatch

and /etc/pam.d/system-auth on CentOS 6.2 shows:
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session     required      pam_unix.so

Original comment by azo...@gmail.com on 10 Jun 2012 at 12:21

[GoogleCodeExporter]

Anyone have a solve for this?

I having the same problem... using CentOS 6

Original comment by emore...@gmail.com on 12 Sep 2012 at 7:32

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I run into a similar problem (leading to "password mismatch errors") using the 
instructions of http://www.server-world.info/en/note?os=CentOS_6&p=httpd&f=12

Finally I managed to solve it by doing the following:
1. Removed the SERVER_UIDS in config.h
2. edited the config.h and undefined the NOLOGIN_FILE and MIN_NOLOGIN_UID flags:
/* #define NOLOGIN_FILE "/etc/nologin"  /**/
/* #define MIN_NOLOGIN_UID 1            /**/
3. after making pwauth, SUIDed the pwauth and assigned it to a group of my own 
where the users I wanted to have access to it belong to

I think that the solution to the issue mentioned here was solved by step 2.

Original comment by gka...@gmail.com on 2 Jan 2013 at 4:55

[GoogleCodeExporter]

I was having the same problems where it works from the command line but not 
when pwauth is called from the apache httpd process. In my case, it was selinux 
denying access to the shadow file when pwauth was run by httpd process.  To 
test this theory, run the command 

sudo setenforce 0

And try to login.  If it works, you can permanently disable selinux by changing

SELINUX=enforcing

To 

SELINUX=permissive 

in /etc/selinux/config.  I'm no selinux expert so I have not figured out a way 
to configure selinux to give httpd access to shadow. 

Original comment by maro...@gmail.com on 3 Apr 2013 at 2:53

[GoogleCodeExporter]

i have a similar problem on Gentoo.  i've patched the source to show uid 
failure (doesn't fail), input value (correct), and exit value (0) of pwauth.

so, pwauth is working perfectly and i'm still getting auth failure, so the code 
in this module is breaking somewhere

Original comment by firefigh...@gmail.com on 8 Apr 2013 at 9:09