Invalid AuthExternal keyword (pwauth)

[pmurena]

I'm trying to setup basic authentication on my Apache2 server using AuthExternal and pwauth. Thus using the system users to perform the authentication rather than another user db.

I could install and enable everything seamlessly. Apache2 (2.4.12-2ubuntu2 ), libapache2-mod-authnz-external (3.3.2-0.1) and pwauth (2.3.11-0.1). It's all running on my Ubuntu 15.10 Desktop edition and Linux 4.2.0-30-generic. Nothing fancy really, all standard willy repo installs.

Apache2 is running and the AuthExternal module is loaded correctly, at least as far as I can tell:

me@bla:~$ systemctl status apache2.service | grep Active
  Active: active (running) since Thu 2016-02-25 13:41:02 CET; 33s ago
me@bla:~$ apache2ctl -M | grep external
  authnz_external_module (shared)

I have defined the modules to be used as well as the Derictory to which to apply the authentication in the VHost config file. See my /etc/apache2/sites-enabled/000-default.conf below:

<IfModule mod_authnz_external.c>
    AddExternalAuth pwauth /usr/sbin/pwauth
    SetExternalAuthMethod pwauth pipe
</IfModule>

<VirtualHost *:80>

    ServerAdmin webmaster@localhost 
    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/html/sec>
        AuthType Basic
        AuthName "Restricted Area"
        AuthBasicProvider external
        AuthExternal pwauth
        Require user pat 
    </Directory>
</VirtualHost>

Now, when I try to open loclahost/sec in a browser I'm prompted to log in. I provide pat as a user and his password and wait for the magic to happen. Unfortunately I get a internal server error rather than the expected index.html 'Hello World'....

So I checked the apache2 error logs and found 'Invalid AuthExternal keyword (pwauth)' in there. After some digging I came to realize, that this error is raised by AuthExternal because it can't find the specified pwauth. So I went and checked that by running:

sudo -u www-data which pwauth

That returned the same path as specified in the above config file, so that can be excluded....

I then tried to redirect AuthExternal to a shell script to test the module independently of pwauth. The script simply appends a string to a files for me to see if it's being called by AuthExternal or not. I ran 'chmod u+s a+x' on the file to allow it to run with root privilege, as pwauth needs that to access passwd, and gave it another try. I also tried the same without u+s as it's not needed here but that didn't went any better. This test lead me to think, that there is something wrong with my apache2 and not pwauth.

I tested all of that with Cromium and Firefox, not that it matters int his case, but you know... one can never be sure enough, right? I also tried all variations I could think of with respect to where I was putting the directives. All directly in the appache2.conf, the directory in appache2.conf and the module inclusion in ./conf-enable/security.conf, modules in security and directory in the vhost, etc... None of these variations helped, some made it worst though...

I then did a lot of googling.... But I could only find information with respect to this topic from the httpd.conf era which doesn't really apply anymore. Even if it still provides some valid and useful hints... In addition, most, if not all of those threads use a .htaccess approach. Which I'm trying to avoid by using the Directory directives in order to avoid the performance lack induced by .htaccess.

Anyhow, I'm out of ideas as of where to look or what to try. I'm turning in circles to be honest and would appreciate any hint, ideas or solutions to get me further.

[phokz]

Hi, I've just quickly looked at your config samples, and here are suggestions:

It is best to split configuration/testing to small parts and test them independently.

Here is how to test pwauth itself:

echo -en "john\njohnspassword\n" | /usr/sbin/pwauth && echo OK || echo FAIL

Here is how to test mod_authnz_external itself:

• just change /usr/sbin/pwauth to /bin/true and check auth to pass
• change it to /bin/false and check auth to fail

Browser does not mater. It is best to test it with simple tools like curl (which do not have cache).

[phokz]

Main problem with your config is that AddExternalAuth and SetExternalAuthMethod have to be inside your virtualhost block. Personally I'd also omit <IfModule>:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    AddExternalAuth pwauth /usr/sbin/pwauth
    SetExternalAuthMethod pwauth pipe

    <Directory /var/www/html/sec>
        AuthType Basic
        AuthName "Restricted Area"
        AuthBasicProvider external
        AuthExternal pwauth
        Require valid-user
    </Directory>
</VirtualHost>

[pmurena]

Hi phokz, thanks so much for your answer.... first of all I love /bin/true|false, didn't knew them to be honest... would have saved me a lot of time in the past and will make me so much more efficient in the future. Plus I mean, doing nothing successfully, common how cool is that ;) I think I found my man idol...

anyhow, on a more serious note, having put Add.... & Set... inside the VH block seems to have solved the problem. Which is cool, but brings up the question, why didn't the config work when Add... and Set... were in apache2.conf which should define them globally, right?