Debian Bug report logs - #394097
libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sven Weidauer <debian@dergraf.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Thu, 19 Oct 2006 12:34:31 +0200

Package: libapache2-mod-auth-pam
Version: 1.1.1-6.1
Severity: grave
Justification: renders package unusable

Since the auth mechanisms were changed in Apache 2.1 this module does
not work any more. It probably should be replaced by mod_authn_pam
available at http://mod-auth.sourceforge.net/docs/mod_authn_pam/

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages libapache2-mod-auth-pam depends on:
ii  apache2.2-common             2.2.3-2     Next generation, scalable, extenda
ii  libc6                        2.3.6.ds1-6 GNU C Library: Shared libraries
ii  libpam0g                     0.79-3.2    Pluggable Authentication Modules l

libapache2-mod-auth-pam recommends no packages.

Message #10 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Robbert Kouprie <robbert@radium.jvb.tudelft.nl>

To: Sven Weidauer <debian@dergraf.net>

Cc: 394097@bugs.debian.org

Subject: Re: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Thu, 02 Nov 2006 23:32:10 +0100

> Since the auth mechanisms were changed in Apache 2.1 this module does
> not work any more. It probably should be replaced by mod_authn_pam
> available at http://mod-auth.sourceforge.net/docs/mod_authn_pam/

It works for me. Can you be more specific?

I am going to lower this to 'important' as I am still able to use the 
package with apache 2.2.3-2, and would not like it to disappear while 
there's no mod_authn_pam package yet.

Regards,
Robbert

Message #17 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Thomas Köllmann <koellmann@gmx.net>

To: Debian Bug Tracking System <394097@bugs.debian.org>

Subject: Re: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Sat, 04 Nov 2006 13:21:45 +0100

Package: libapache2-mod-auth-pam
Version: 1.1.1-6.1
Followup-For: Bug #394097


If you still have mod-auth-pam working, could you please provide
some information on how to configure it?

On Apache 2.0.x I had working:

AuthPAM_Enabled on
AuthType Basic
AuthName "DSPAM Control Center"
Require valid-user
Satisfy All

Now, on Apache 2.2.x, I have to specify an additional
"AuthBasicProvider" for "AuthType Basic" to work, right? What would
I use there for mod-auth-pam?


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: sparc (sparc64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-sparc64
Locale: LANG=en_US.ISO-8859-15, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15)

Versions of packages libapache2-mod-auth-pam depends on:
ii  apache2.2-common             2.2.3-3     Next generation, scalable, extenda
ii  libc6                        2.3.6.ds1-7 GNU C Library: Shared libraries
ii  libpam0g                     0.79-4      Pluggable Authentication Modules l

libapache2-mod-auth-pam recommends no packages.

-- no debconf information

Message #22 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Rajko Albrecht <ral@alwins-world.de>

To: 394097@bugs.debian.org

Subject: It doesn't work after upgrade to apache2 2.2.3 anymore

Date: Mon, 6 Nov 2006 15:09:43 +0100

Here the same: just upgraded and auth_pam doesn't work anymore. 

If any one has it working, please tell, authn_pam isn't reachable, auth_pam 
doesn't work in debian, switch to another server isn't possible this moment - 
wonderfull.


Only that brainfucked clear error message in logfile:

Internal error: pcfg_openfile() called with NULL filename

Config as worked until:

AuthType Basic
AuthPAM_Enabled on
AuthName "Subversion Repositories on XXXX"
Require group XXX
Require user xxxx


it asks for username/password and than stops with that "internal error bla"


Would nice getting some information more if it works on your side, Robbert, 
and would great when this information (even them will work later on) would be 
n a README in package.

tnx

Message #27 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Robbert Kouprie <r.kouprie@exx.nl>

To: Thomas Köllmann <koellmann@gmx.net>, Rajko Albrecht <ral@alwins-world.de>

Cc: 394097@bugs.debian.org

Subject: Re: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Tue, 7 Nov 2006 13:00:14 +0100 (CET)

Hi guys,

Please try adding "AuthBasicAuthoritative Off" to your configuration.

My complete config is:

<Directory /var/www/protected>
  AuthType Basic
  AuthName "Please login"
  AuthPAM_Enabled on
  AuthPAM_FallThrough off
  AuthBasicAuthoritative off
  require valid-user
</Directory>

Regards,
Robbert

Message #32 received at 394097@bugs.debian.org (full text, mbox, reply):

From: ral@alwins-world.de

To: Robbert Kouprie <r.kouprie@exx.nl>

Cc: 394097@bugs.debian.org

Subject: Re: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Tue, 07 Nov 2006 15:09:46 +0100

Zitat von Robbert Kouprie <r.kouprie@exx.nl>:

> Hi guys,
>
> Please try adding "AuthBasicAuthoritative Off" to your configuration.
>
> My complete config is:
>
> <Directory /var/www/protected>
>   AuthType Basic
>   AuthName "Please login"
>   AuthPAM_Enabled on
>   AuthPAM_FallThrough off
>   AuthBasicAuthoritative off
>   require valid-user
> </Directory>
>
> Regards,
> Robbert

Works! Wonderful, many thanks, the guys (and ladies) are lucky getting  
their http access back. This should put into documentation of the  
module I think.

bye and thanks

Rajko

Message #37 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Robin Farine <robin.farine@terminus.org>

To: 394097@bugs.debian.org

Subject: Re: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Wed, 8 Nov 2006 10:37:44 +0100

On Tue November 7 2006 13:00, Robbert Kouprie wrote:

> My complete config is:
>
> <Directory /var/www/protected>
>    AuthType Basic
>    AuthName "Please login"
>    AuthPAM_Enabled on
>    AuthPAM_FallThrough off
>    AuthBasicAuthoritative off
>    require valid-user
> </Directory>

This did not work out of the box for me when I upgraded to apache2 
2.2.3-3. After some trial and errors -- apache2 error messages did 
not ring any bell -- it occurred that for auth_pam with "Require 
valid-user" to work, the auth_basic and authz_user modules have to 
be enabled.

HTH,

Robin

Message #42 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Thomas Köllmann <koellmann@gmx.net>

To: Robbert Kouprie <r.kouprie@exx.nl>

Cc: Rajko Albrecht <ral@alwins-world.de>, 394097@bugs.debian.org

Subject: Re: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Wed, 8 Nov 2006 12:41:14 +0100

Hallo, Robbert!

On Tue, 7 Nov 2006 13:00:14 +0100 (CET)
Robbert Kouprie <r.kouprie@exx.nl> wrote:

> Please try adding "AuthBasicAuthoritative Off" to your configuration.
> 
> My complete config is:
> 
> <Directory /var/www/protected>
>    AuthType Basic
>    AuthName "Please login"
>    AuthPAM_Enabled on
>    AuthPAM_FallThrough off
>    AuthBasicAuthoritative off
>    require valid-user
> </Directory>

Does not work for me. I get:

[Wed Nov 08 12:34:20 2006] [error] [client 192.168.250.2] No Authn provider configured
[Wed Nov 08 12:34:20 2006] [crit] [client 192.168.250.2] configuration error:  couldn't check access.  No groups file?: /

As I understand the documentation this is the expected behaviour, as libapache2-auth-pam does not include an Apache2.2-style authn provider.

I only wonder how you still have it working... :-)

Mit schönem Gruß
 - Thomas


-- 
"Mit der Rückkehr völliger Geistesabwesenheit ist wohl die absolute
Genesung garantiert."
 - Lawrence Durrell, Nunquam
/* PGP key auf Wunsch per e-mail || PGP key sent on request */

Message #47 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Thomas Köllmann <koellmann@gmx.net>

To: Robin Farine <robin.farine@terminus.org>

Cc: 394097@bugs.debian.org, Robbert Kouprie <r.kouprie@exx.nl>

Subject: Re: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Wed, 8 Nov 2006 13:35:40 +0100

Robin Farine <robin.farine@terminus.org> wrote:

> This did not work out of the box for me when I upgraded to apache2 
> 2.2.3-3. After some trial and errors -- apache2 error messages did 
> not ring any bell -- it occurred that for auth_pam with "Require 
> valid-user" to work, the auth_basic and authz_user modules have to 
> be enabled.

Thanks, enabling the authz_user module together with "AuthBasicAuthoritative off" works.

I still think this is a workaround though (as I still get "No Authn provider configured" warnings)
and not a proper solution -- which would be a libapache2-authn-pam package, IMHO.

Thanks,
 - Thomas


-- 
Hang myself
When I get enough rope
 - The Tubes, White Punks on Dope
/* PGP key auf Wunsch per e-mail || PGP key sent on request */

Message #52 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Thomas Köllmann <koellmann@gmx.net>

To: 394097@bugs.debian.org

Subject: Re: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Wed, 8 Nov 2006 13:57:53 +0100

I wrote:

> Thanks, enabling the authz_user module together with "AuthBasicAuthoritative off" works.

> I still think this is a workaround though (as I still get "No Authn provider configured" warnings)
> and not a proper solution -- which would be a libapache2-authn-pam package, IMHO.

Not only do I get those warnings but also Internal Server Errors where I should get authorization failures (when I specify invalid credentials)...

Mit schönem Gruß
 - Thomas


-- 
"What!" said Bois-Gilbert, "so soon?"
"Ay," replied the preceptor, "trial moves rapidly on when the judge
has determined the sentence beforehand." -- Sir Walter Scott, Ivanhoe
/* PGP key auf Wunsch per e-mail || PGP key sent on request */

Message #57 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Ernest ter Kuile <ernestjw@xs4all.nl>

To: Debian Bug Tracking System <394097@bugs.debian.org>

Subject: libapache2-mod-auth-pam with apache >= 2.1 needs AuthBasicAuthoritative Off

Date: Sun, 26 Nov 2006 17:21:34 +0100

Package: libapache2-mod-auth-pam
Version: 1.1.1-6.1
Followup-For: Bug #394097


libapache2-mod-auth-pam _does_ work with latest apache, but doesn't fall 
completely under the hood of AuthType Basic anymore (real reason is not clear to me)

As long as mod_authn_pam isn't packaged with Debian, user or script must add:

AuthBasicAuthoritative Off

to make it work.

The error reported by Apache is quite confusing if directive above is missing

[Sun Nov 26 16:50:28 2006] [error] Internal error: pcfg_openfile() called with NULL filena
[Sun Nov 26 16:50:28 2006] [error] [client 192.168.1.99] (9)Bad file descriptor: Could not

My current authentication sheme within dav_svn.conf is now:

  AuthType Basic        

  # Use next two statement with mod_auth_pam
  AuthPAM_Enabled on
  AuthBasicAuthoritative Off

  # Use next statement when using mod_authn_pam (notice extra 'n' in name)
  # AuthBasicProvider pam

  AuthName "Subversion repositiory access"

  Require valid-user


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18.3
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Message #62 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Hans Grobler <hans.grobler@up.ac.za>

To: 394097@bugs.debian.org

Subject: Re: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Wed, 13 Dec 2006 09:34:38 +0200

I have also had problems after an upgrade to Etch. The recommended additions of
"AuthPAM_FallThrough off" and "AuthBasicAuthoritative off" however do not work
in my case. My setup makes use of LDAP and Kerberos and as far as I know the
PAM configuration is correct (for example: I can successfully SSH with both
LDAP/Kerberos and local accounts).

Regards,
-- Hans

This message and attachments are subject to a disclaimer. Please refer
to www.it.up.ac.za/documentation/governance/disclaimer/ for full
details. / Hierdie boodskap en aanhangsels is aan 'n vrywaringsklousule
onderhewig. Volledige besonderhede is by
www.it.up.ac.za/documentation/governance/disclaimer/ beskikbaar.

Message #67 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Joerg Dorchain <joerg@dorchain.net>

To: 394097@bugs.debian.org

Subject: auth_pam does not work

Date: Mon, 5 Feb 2007 16:13:17 +0100

[Message part 1 (text/plain, inline)]

Hello,

thanks to all the previous posters. Unfortunately it does not work for
me.
My config snippet:
        <Location /svn>
                DAV svn
                SVNPath /var/lib/svn
                ForceType text/plain
                SVNAutoversioning on

                Satisfy All
                AuthPAM_Enabled On
                AuthPAM_FallThrough off
                AuthType Basic
                AuthBasicAuthoritative off
                AuthName "Subversion Repository"
                Require group subversion
        </Location>

My modules:
alias.load          authz_user.load  dir.conf          php4.load
auth_basic.load     autoindex.load   dir.load          proxy.conf
auth_pam.load       dav.load         env.load          proxy.load
authn_default.load  dav_fs.conf      info.load         rewrite.load
authn_file.load     dav_fs.load      mime.load         setenvif.load
authz_default.load  dav_svn.conf     negotiation.load  status.load
authz_host.load     dav_svn.load     php4.conf

Could one of the people who say it works please also post their list of
included modules, esp. the auth* ones?

Kind regards,

Joerg

[signature.asc (application/pgp-signature, inline)]

Message #74 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Filipe Lautert <filipe@icewall.org>

To: Debian Bug Tracking System <394097@bugs.debian.org>

Subject: libapache2-mod-auth-pam: auth_pam does not work

Date: Fri, 09 Mar 2007 08:47:08 -0300

Package: libapache2-mod-auth-pam
Version: 1.1.1-6.1
Followup-For: Bug #394097

Hi!

Following this thread I could get auth_pam to work, but for each action
that I take it prints the following in my apache error.log:

[Fri Mar 09 08:43:07 2007] [error] Internal error: pcfg_openfile()
called with NULL filename
[Fri Mar 09 08:43:07 2007] [error] [client 200.189.112.13] (9)Bad file
descriptor: Could not open password file: (null)
[Fri Mar 09 08:43:07 2007] [error] Internal error: pcfg_openfile()
called with NULL filename
[Fri Mar 09 08:43:07 2007] [error] [client 200.189.112.13] (9)Bad file
descriptor: Could not open password file: (null)
[Fri Mar 09 08:43:07 2007] [error] Internal error: pcfg_openfile()
called with NULL filename
[Fri Mar 09 08:43:07 2007] [error] [client 200.189.112.13] (9)Bad file
descriptor: Could not open password file: (null)
[Fri Mar 09 08:43:08 2007] [error] Internal error: pcfg_openfile()
called with NULL filename
[Fri Mar 09 08:43:08 2007] [error] [client 200.189.112.13] (9)Bad file
descriptor: Could not open password file: (null)

And so on. It works, but still creating those logs. My configuration:

<Location /svn/debian>
  DAV svn
  SVNPath /var/lib/svn/debian
  AuthType Basic
  AuthPAM_Enabled on
  AuthBasicAuthoritative off
  AuthName "Subversion Repository"
  require valid-user
  SSLRequireSSL
</Location>

Regards,

Filipe

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-k7
Locale: LANG=pt_BR, LC_CTYPE=pt_BR (charmap=ISO-8859-1) (ignored: LC_ALL set to pt_BR)

Versions of packages libapache2-mod-auth-pam depends on:
ii  apache2.2-common            2.2.3-3.3    Next generation, scalable, extenda
ii  libc6                       2.3.6.ds1-11 GNU C Library: Shared libraries
ii  libpam0g                    0.79-4       Pluggable Authentication Modules l

libapache2-mod-auth-pam recommends no packages.

-- no debconf information

Message #79 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Trev Peterson <trev@advanced-reality.com>

To: 394097@bugs.debian.org

Subject: Doesn't work here

Date: Mon, 19 Mar 2007 07:57:14 -0500

I have been trying to get this to work here for many hours now with no
luck.  Right now it lets anyone (no authentication necessary).  The PAM
config seems OK (it works for ssh with the same common-auth and
common-account as the apache2).  If I uncomment either of the Require
statements I get the "could not open password file: (null)" error.

Error lines from log:
[Mon Mar 19 07:21:05 2007] [error] [client 192.168.19.2] (9)Bad file
descriptor: Could not open password file: (null)
[Mon Mar 19 07:21:05 2007] [error] [client 192.168.19.2] PAM: user
'peterson'  - invalid account: Authentication service cannot retrieve
authentication info.

Pam is authenticating via pam_krb5(against AD) and pam_unix
(/etc/passwd).

Relevant Apache config:

    <Location /svn>
        DAV svn
        SVNParentPath /var/lib/svn
        AuthType Basic
        AuthPAM_Enabled on
        AuthPAM_FallThrough off
        AuthBasicAuthoritative off
        AuthName "Subversion repository"
#        AuthzSVNAccessFile /var/lib/svn/svnaccess
#        Require valid-user
#       Require group svn-users
    </Location>

mods-enabled are:
actions.load          cache.load    env.load          php5.conf
alias.load            cgi.load      expires.load      php5.load
auth_basic.load       dav_fs.conf   fcgid.conf        rewrite.load
auth_digest.load      dav_fs.load   fcgid.load        setenvif.load
authn_file.load       dav.load      headers.load      speling.load
auth_pam.load         dav_svn.conf  include.load      ssl.conf
authz_default.load    dav_svn.load  info.load         ssl.load
authz_groupfile.load  deflate.conf  mime.load         status.load
authz_host.load       deflate.load  mime_magic.conf   suexec.load
authz_user.load       dir.conf      mime_magic.load   usertrack.load
autoindex.load        dir.load      negotiation.load  vhost_alias.load


Package versions:
apache2-mpm-prefork               2.2.3-3.3
libapache2-mod-auth-pam           1.1.1-6.1
libapache2-svn                    1.4.2dfsg1-2


Does anyone have this working with Require group OR AuthzSVNAccessFile?

-- 
Trev Peterson
Advanced Reality
Email: trev@advanced-reality.com
Phone: +1 847 406 9018

Message #84 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Marc Sherman <msherman@projectile.ca>

To: 394097@bugs.debian.org

Cc: Filipe Lautert <filipe@icewall.org>

Subject: To silence the error message

Date: Fri, 27 Apr 2007 17:13:19 -0400

Filipe Lautert <filipe@icewall.org> wrote:
> Following this thread I could get auth_pam to work, but for each
> action that I take it prints the following in my apache error.log:
> 
> [Fri Mar 09 08:43:07 2007] [error] Internal error: pcfg_openfile() 
> called with NULL filename
> [Fri Mar 09 08:43:07 2007] [error] [client 200.189.112.13] (9)Bad
> file descriptor: Could not open password file: (null)
> 
> And so on. It works, but still creating those logs.

That's because the default basic authentication method, mod_authn_file,
is still taking a first crack at authenticating each access, and it
reports an error because it doesn't have a file configured. It then
passes through to mod_auth_pam because of the "AuthBasicAuthoritative
off", which in turn succeeds.

To silense the error message, configure mod_authn_file to use a null
config file, with "AuthUserFile /dev/null".

- Marc

Message #89 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Björn Keil <abgrund@silberdrache.net>

To: 394097@bugs.debian.org

Subject: Example config

Date: Fri, 18 May 2007 14:57:48 +0200

[Message part 1 (text/plain, inline)]

Filipe Lautert <filipe@icewall.org> wrote:
> Following this thread I could get auth_pam to work, but for each
> action that I take it prints the following in my apache error.log.
So, based on Marc's post the following would be a viable config (authentication only):

<Location /confidential>
	AuthType Basic
	require valid-user
	## Workaround to have authn_file working
	## but reject any login attempt for
	## mod_auth_pam to handle it.
	AuthBasicProvider file
	AuthUserFile /dev/null
	AuthBasicAuthoritative off
	AuthPam_Enabled on
	AuthPam_FallThrough off
	## Comment the last paragraph and
	## uncomment the following directives,
        ## should  mod_authn_pam become
	## available
	# AuthBasicProvider pam
	# AuthBasicAuthoritative on
</Location>

[signature.asc (application/pgp-signature, attachment)]

Message #94 received at 394097@bugs.debian.org (full text, mbox, reply):

From: kirstin penelope rhys <kirstin.rhys@helicor.com>

To: Debian Bug Tracking System <394097@bugs.debian.org>

Subject: Successful recipe for etch libapache2-mod-auth-pam

Date: Wed, 06 Jun 2007 04:58:46 -0400

Package: libapache2-mod-auth-pam
Version: 1.1.1-6.1
Followup-For: Bug #394097


If you are using pam authentication exclusively of the apache authentication 
methods, I've found a short term solution until there is an mod-authn-pam 
package availible.

first, disable auth_basic via 

% a2dismod auth_basic

Then you need a directory or .htaccess configuration with, for example,

<Directory /var/www/dspam>
   Options +ExecCGI -Indexes
   DirectoryIndex dspam.cgi
   AllowOverride None

   SSLRequireSSL
   AuthPAM_Enabled on
   AuthType Basic
   AuthName "DSPAM Control Center"
   Require group users
</Directory>

That, followed by an

% invoke-rc.d apache2 force-reload 

Will give you working pam authentication. The trick is to avoid "Require 
valid-user". It does not work. "Require group xxx" does. There may well be 
others which are sucessful, but these are the only ones that I've tested.

My enabled modules are:

alias.load            authz_user.load  fcgid.conf        ssl.load
authn_file.load       autoindex.load   fcgid.load        status.load
auth_pam.load         cgid.conf        mime.load         suexec.load
auth_sys_group.load   cgid.load        negotiation.load  usertrack.load
authz_default.load    dir.conf         rewrite.load
authz_groupfile.load  dir.load         setenvif.load
authz_host.load       env.load         ssl.conf

cheers,

kirstin

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (700, 'stable'), (625, 'testing'), (600, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-amd64
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages libapache2-mod-auth-pam depends on:
ii  apache2.2-common            2.2.3-4      Next generation, scalable, extenda
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libpam0g                    0.79-4       Pluggable Authentication Modules l

libapache2-mod-auth-pam recommends no packages.

-- no debconf information

Message #99 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Udo Waechter <udo.waechter@uni-osnabrueck.de>

To: 394097@bugs.debian.org

Subject: does not work with 'require group XYZ'

Date: Tue, 04 Dec 2007 15:57:11 +0100

Package: libapache2-mod-auth-pam
Version: 1.1.1-6.1

--- Please enter the report below this line. ---
following all suggestions from the already existing bug report, I still 
can not get this running when I use: "Require group <somegroup>"
It works when "Require valid-user" is used.
All permutations of setting

  AuthPAM_FallThrough off
  AuthBasicAuthoritative off

to on to off and vice-versa do not work either.


--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.22-2-686

Debian Release: 4.0
  990 stable          security.debian.org
  990 stable          mirrors.ecology.uni-kiel.de
  990 stable          hal.ikw.uni-osnabrueck.de
  500 unstable        mirrors.ecology.uni-kiel.de
  500 unstable        hal.ikw.uni-osnabrueck.de
  500 testing         security.debian.org
  500 testing         mirrors.ecology.uni-kiel.de
  500 testing         hal.ikw.uni-osnabrueck.de

--- Package information. ---
Depends       (Version) | Installed
=======================-+-===========
                        |

Message #104 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Flavien Lebarbe <flavien-debian@lebarbe.net>

To: 394097@bugs.debian.org

Subject: www-data needs to be member of group "shadow"

Date: Thu, 17 Jul 2008 16:51:19 +0200

Hi,


mod_auth has to be able to read /etc/shadow in order to check the
password. Therefore, www-data (the user running apache2) has to have
enough privileges. On my etch system, I had to :

1/ chgrp shadow /etc/shadow
2/ Edit /etc/group and add www-data (the user running apache2) to
   the members of "shadow" group.


Hope this helps,

Flavien.

Message #109 received at 394097@bugs.debian.org (full text, mbox, reply):

From: "Alexi Kostibas" <alexi@kostibas.com>

To: 394097@bugs.debian.org

Subject: Re: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Fri, 26 Sep 2008 13:40:25 -0700

[Message part 1 (text/plain, inline)]

In case anyone is still hitting their heads against the wall on this, here's
a way to get "require valid-user" and "require group xxx" working:

Enable modules:
 auth_basic
 auth_pam
 auth_sys_group:

Config:
<Directory "/local/www">
    AuthType Basic
    AuthName "Private Access"
    AuthPAM_Enabled On
    AuthGROUP_Enabled on
    Require valid-user
    Require group web
    AuthUserFile /dev/null
    AuthBasicAuthoritative Off
</Directory>

[Message part 2 (text/html, inline)]

Message #114 received at 394097@bugs.debian.org (full text, mbox, reply):

From: "Karl O. Pinc" <kop@meme.com>

To: 394097@bugs.debian.org

Subject: Put AuthType Basic at the top to get libapache2-mod-auth-pam to work

Date: Mon, 24 Nov 2008 09:45:39 -0600

Hello,

I may be wrong, but I believe I had to put the
AuthType Basic directive above the other auth
directives in the config file before
libapache2-mod-auth-pam worked on Etch.

Regards,

Karl <kop@meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

Message #119 received at 394097@bugs.debian.org (full text, mbox, reply):

From: "Karl O. Pinc" <kop@meme.com>

To: 394097@bugs.debian.org

Subject: AuthUserFile /dev/null makes the "pcfg_openfile() called with NULL filename" go away

Date: Tue, 17 Mar 2009 20:59:35 -0500

"AuthUserFile /dev/null" makes the
"pcfg_openfile() called with NULL filename"
error in the logs go away.

"AuthBasicAuthoritative off" didn't do the job.


Karl <kop@meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

Message #124 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Richard Scott <r.scott@har.mrc.ac.uk>

To: 394097@bugs.debian.org

Subject: Re: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Fri, 15 May 2009 12:04:02 +0100

Hi,

I needed to add the www-data user into the shadow group so it could read 
/etc/shadow.
Once I did that the authentication worked :-)

Hope this helps.

Richard.

Message #129 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Marcin Szewczyk <Marcin.Szewczyk@wodny.org>

To: 394097@bugs.debian.org

Subject: Re: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Fri, 09 Oct 2009 21:43:45 +0200

Am I the only one, who thinks that giving anything a privilege to read
/etc/shadow while using PAM is a complete misunderstanding of how PAM works?

-- 
Marcin Szewczyk                       http://wodny.org
mailto:Marcin.Szewczyk@wodny.borg  <- remove b / usuń b
xmpp:wodny@ubuntu.pl                  xmpp:wodny@jabster.pl

Message #134 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Torsten Landschoff <t.landschoff@gmx.net>

To: Marcin Szewczyk <Marcin.Szewczyk@wodny.org>, 394097@bugs.debian.org

Subject: Re: Bug#394097: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Thu, 7 Jan 2010 16:41:03 +0100

Hi Marcin,

On Fri, Oct 09, 2009 at 09:43:45PM +0200, Marcin Szewczyk wrote:
> Am I the only one, who thinks that giving anything a privilege to read
> /etc/shadow while using PAM is a complete misunderstanding of how PAM works?
 
No. I found this report while trying to reduce the duplication in password
databases on our company server. And I can't stop shaking my head about this
"trick".

1) /etc/shadow should not be readable by any network services (at least not
directly). There is a reason why pam uses a suid helper to read it...
See unix_chkpwd(8). Why a program not intended to be called directly from
the command line is sitting in /sbin is beyond me though...

2) The whole idea of PAM is to abstract away the underlying authentication
source. We are going via LDAP here, so having it access /etc/shadow would
not help in any way...

If you open up access to /etc/shadow you are doing something very wrong.

Greetings, Torsten

Message #139 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Marcin Szewczyk <Marcin.Szewczyk@wodny.org>

To: Torsten Landschoff <t.landschoff@gmx.net>

Cc: 394097@bugs.debian.org

Subject: Re: Bug#394097: libapache2-mod-auth-pam: doesnt work with Apache > 2.1

Date: Fri, 08 Jan 2010 00:43:53 +0100

Torsten Landschoff wrote:
> If you open up access to /etc/shadow you are doing something very wrong.

I forgot to mention that finally I've used a combination of:
libapache2-mod-authnz-external + pwauth
http://packages.debian.org/squeeze/libapache2-mod-authnz-external
http://packages.debian.org/squeeze/pwauth

with a wrapper:
exec sudo -u www-data /usr/sbin/pwauth
and the line in /etc/sudoers:
nagios ALL=(www-data) NOPASSWD: /usr/sbin/pwauth

because I use Nagios web UI through Apache2 and pwauth has a security
feature allowing only UID 33 to run itself.

-- 
Marcin Szewczyk                       http://wodny.org
mailto:Marcin.Szewczyk@wodny.borg  <- remove b / usuń b
xmpp:wodny@ubuntu.pl                  xmpp:wodny@jabster.pl

Message #144 received at 394097@bugs.debian.org (full text, mbox, reply):

From: Guillaume Allegre <allegre.guillaume@free.fr>

To: 394097@bugs.debian.org

Subject: packaging mod_authN_pam ?

Date: Fri, 24 Sep 2010 11:45:00 +0200

Is there a good reason to maintain this package,
and not packaging the new version which apparently fixes the bug ?

mod_authN_pam 
http://mod-auth.sourceforge.net/docs/mod_authn_pam/


-- 
 ° /\    Guillaume Allègre            Membre de l'April
  /~~\/\   Allegre.Guillaume@free.fr  Promouvoir et défendre le logiciel libre
 /   /~~\    tél. 04.76.63.26.99      http://www.april.org

Message #149 received at 394097-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 246222-done@bugs.debian.org,284863-done@bugs.debian.org,291558-done@bugs.debian.org,366401-done@bugs.debian.org,366411-done@bugs.debian.org,382382-done@bugs.debian.org,393342-done@bugs.debian.org,394097-done@bugs.debian.org,400984-done@bugs.debian.org,422651-done@bugs.debian.org,450387-done@bugs.debian.org,482397-done@bugs.debian.org,509197-done@bugs.debian.org,515995-done@bugs.debian.org,575009-done@bugs.debian.org,610455-done@bugs.debian.org,666809-done@bugs.debian.org,660221-done@bugs.debian.org,

Cc: libapache2-mod-auth-pam@packages.debian.org, libapache2-mod-auth-pam@packages.qa.debian.org

Subject: Bug#710770: Removed package(s) from unstable

Date: Thu, 06 Jun 2013 06:45:42 +0000

Version: 1.1.1-9+rm

Dear submitter,

as the package libapache2-mod-auth-pam has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/710770

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Ansgar Burchardt (the ftpmaster behind the curtain)

Send a report that this bug log contains spam.