I currently have my apache server to authenticate via a password file created from htpasswd. Configured as such:
AuthType Basic AuthName "Secured Site" AuthUserFile "/etc/apache2/users.passwd" How can I change this to authenticate via local system accounts and additionaly restrict to only a subset of local system accounts in a specified group?
As suggested by David Z, you can use mod-authnz-external. Use it with pwauth for example.
If you are running Debian or a derivative:
apt-get install libapache2-mod-authnz-external pwauth a2enmod authnz_external In your configuration, add
<IfModule mod_authnz_external.c> DefineExternalAuth pwauth pipe /usr/sbin/pwauth </IfModule> And in the Directory section or your .htaccess file:
AuthType Basic AuthName "Login" AuthBasicProvider external AuthExternal pwauth Require valid-user # or # Require user jules jim ... Finally reload the configuration with apache2ctl restart or service apache2 reload.
See also this documentation.
AddExternalAuth and SetExternalAuthMethod are old-style syntax commands. The new-style syntax uses only one command: DefineExternalAuth pwauth pipe /usr/sbin/pwauth. pwauth, make sure the pwauth binary has setuid permissions! You can do so with this command: chmod u+s /usr/bin/pwauth. When Apache invokes pwauth and setuid permissions are not set, the status code of 1 (unknown) is always returned. bugs.launchpad.net/ubuntu/+source/pwauth/+bug/579846 You probably want to look into something like mod_auth_pam. PAM is the "Pluggable Authentication Module" system and the standard Linux (I'm assuming this is Linux) system login mechanism relies on PAM to do its authentication.
Another option is mod_authnz_external, which will look directly at the /etc/shadow file to authenticate accounts.
EDIT: Apparently mod_auth_pam is no longer maintained (unfortunately), so maybe mod_authnz_external would be a better bet...
The Apache module mod_auth_pam will do exactly this for you. You enable the module, and the config file should look something like
AuthType Basic AuthName "secure area" require group staff require user webmaster And you're all set.
I just came across the same issue. Here's my solution since mod_auth_pam is dead and no one has addressed the original question,
"authenticate via local system accounts...in a specified group"
I'm using Ubuntu 18.04, so flavor the package installation to your own system. For this example, I'm hosting a directory /var/www/data and only want users in the data group to have access. I'm assuming you have an Apache installation running and the data group already created.
As mentioned before, you'll need to grab pwauth and the authnz software. Additionally, you will need mod-authz-unixgroup for group authentication. You can install them using,
apt install libapache2-mod-authz-unixgroup libapache2-mod-authnz-external pwauth Next, change the permissions of pwauth (this was fixed on 2020-06-02, but I'll leave this here for older releases) by using,
chmod u+s /usr/sbin/pwauth Then, write up your apache2 VirtualHost configuration. Here's a very simple example,
<VirtualHost *:80> # Host Info ServerName cool.things ServerAdmin [email protected] DocumentRoot /var/www # Where the logs go ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # Setup external authentication <IfModule mod_authnz_external.c> AddExternalAuth pwauth /usr/sbin/pwauth SetExternalAuthMethod pwauth pipe </IfModule> # Load an _h5ai index <Directory "/var/www/data"> Options Indexes FollowSymLinks MultiViews DirectoryIndex index.html index.php /data/_h5ai/public/index.php # Setup Basic Authentication AuthType Basic AuthName "data group members only" AuthBasicProvider external AuthExternal pwauth # Only allow members of the "data" group Require unix-group data </Directory> </VirtualHost> Finally, you'll need to reload, restart, and check the status of Apache for errors.
service apache2 reload service apache2 restart service apache2 status 