# Integrating System and Apache Passwords

## plac3bo

Goal: When a user changes his/her password using 'passwd' I would like it to also update that user's apache basic web authenication password.

I have looked at add-in modules for apache that allow apache to authenicate using various options, such as MySql, Oracle, etc, but did not see anything to use users' system passwords for authenication.  (note: I may have just missed something obvious :/ )

I'm sure others out there have done this or want to do this, so if some one could just point me in the right direction, I'd be very grateful, thanks.

Drew

----------

## Chris W

Possibilities: Apache mod_auth_external to call an external program to check against the system user database.

Move both the system and Apache to use LDAP (pam_ldap/nss_ldap for the system and mod_auth_ldap for Apache).

Move both the system and Apache to use MySQL (pam_mysql for the system).

Apache mod_auth_pam to use the system PAM implementation for authentication.

----------

## plac3bo

Wow! thanks very much for the reply, I will read the docs on all those options and decide which will work best.

----------

## Chris W

The PAM approach is probably easiest to do for one or five users in a single domain.

The MySQL option is useful if you already have virtual hosting, for example, using MySQL.

Having done the LDAP thing for a large organisation, I'd only recommend this if you have another use for the LDAP repository e.g. a CRM system.

----------

## plac3bo

Ok, so I read bout the suggestions you gave, and decided mod_auth_external should do the trick and be somewhat secure(this is not a very critical server anyway).

On their homepage mod_auth_external they give reasons why it is secure, most notably that only the program pwauth is given access to the shadow file.

So, I emerged mod_auth_external(surprised to see an ebuild for this) and configured apache accordingly, but now when I get prompted for authenication AND enter a valid user and password, I am not granted access.  Since I used the ebuild, I was not required to manually configure too many options(other than loading the module) and I figured pwauth would "know" where to look for the shadow file.  It does not seem this is the case though, because in my apache errror log, I am getting the following error message:

```

[Mon Mar 01 16:49:48 2004] [error] [client 192.168.1.1] AuthExtern pwauth [extramodules/pwauth]: Failed (255) for user valid_gentoo_user

```

Well, I haven't looked too deeply into this yet, and am doing so right now, but wanted to know if anyone had any ideas?

Thanks

----------

## plac3bo

Ah, forgot to include this tidbit of info...

I can run pwauth as root from a shell to test and I can confirm it is working correctly.

----------

## Chris W

You might like to check:That pwauth is setuid root. That the apache user can see and execute pwauth  That the "AddExternalAuth <keyword> <path-to-authenticator>", "SetExternalAuthMethod <keyword> <method>", and "AuthExternal <keyword>" directives are in the correct placesI think the third option is the most likely problem if you installed by emerge.  The INSTALL documents in /usr/share/mod_auth_external/... shed some light on these directives.

----------

## plac3bo

Well, i got it working : )  it was using a relative path to pwauth.  when i changed it to a absolute path everything worked fine.

the most troubling part of this is that i thought that was the very first thing i tried, it wasnt until i exhausted every possible solution once and made my way back around to re-trying everything again that i got it working.

anyway, thanks Chris, i appreciate the help

----------

## plac3bo

Since my last posting about this topic, I've decided to enhance security a little more by adding SSL so my passwords would not be transferred as plain text.  Once again, I ran into some problems with auth_external.

This time, I knew more about auth_external in general and was able to come to a solution pretty quickly, but thought I'd post it here just in case anyone else is having the same difficulties.

The problem was that now my unprotected site was working fine with auth_external but my protected site was not recognizing pwauth.  After some investigation and playing around, I discovered I needed to add the following lines under my protected <VirtualHost> block:

```
<IfModule mod_auth_external.c>

AddExternalAuth pwauth  /usr/lib/apache2-extramodules/pwauth

SetExternalAuthMethod   pwauth  pipe

</IfModule>
```

And thats it!

----------

