Apache 2 and HTTP Authentication with PAM

There are 2 ways(at least that I know of) to get Apache 2 to use PAM for http auth:

  • Old mod_auth_pam, which I believe is not developed anymore and also posses some security risks
  • Newer mod_authnz_external and pwauth

This little write up shows how to get Apache and PAM going on Ubuntu using the mod_authnz_external.
To get started, let’s install some packages:

sudo apt-get install libapache2-mod-authnz-external pwauth
sudo apt-get install libapache2-mod-authz-unixgroup
sudo a2enmod authnz_external authz_unixgroup

Edit config file for the Virtual Host you’d like to get them PAM-based HTTP Authentication going, such that it contains the following clause:

<IfModule mod_authnz_external.c>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe

And the final bit of configuration goes to your Directory definition inside of vhost block:

<Directory /var/www/yourlocation>
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider external
AuthExternal pwauth
Require user john

# some other configuration statements

This will allow user john to access the resource.

Now if you also want to have PAM authentication by users group you’ll need to make few extra steps. Missing bit of puzzle here is called ‘unixgroup’ script and for some reason it is not in Ubuntu’s pwauth package where it ought to be. You will need to grab it from here and copy it over to /usr/sbin/unixgroup and make it executable. Here is a quick snippet to do that:

wget "http://pwauth.googlecode.com/files/pwauth-2.3.9.tar.gz"
tar xzvf ./pwauth-2.3.9.tar.gz
sudo cp pwauth-2.3.9/unixgroup /usr/sbin/
sudo chmod a+x /usr/sbin/unixgroup

Once that’s done, you’ll need to few more lines to you Virtual Host config, so it will look something like this:

<IfModule mod_authnz_external.c>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
AddExternalGroup unixgroup /usr/sbin/unixgroup
SetExternalGroupMethod unixgroup environment


<Directory /var/www/yourlocation>
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider external
AuthExternal pwauth
GroupExternal unixgroup
Require user john# some other configuration statements

Hopefully this is helpful to someone besides myself :) Let me know if you got stock somewhere along the way.

16 thoughts on “Apache 2 and HTTP Authentication with PAM

  1. Pingback: Security for Ubuntu 12.04 and ISPConfig | Linux Master

  2. Pingback: Apache 2 and HTTP Authentication with PAM | Jerry's Home

  3. Pingback: 使用 PAM 作為 Apache Basic 驗證 | ATI的硬體&攝影網誌

  4. Hi, thx very much for that tutorial. I am using it on my linux machine. Since then I am very happy for not having two password stores.

    But this PAM module is damn slowly when loading directory listing compared to htpasswd-files…any solution/improvemts?

    • Hi there,

      To be honest I haven’t really encountered any dramatic slowdown compared to straight up htpasswd file, but I didn’t use this solution on any heavy load systems either. I remember seeing another approach to this using perl module of a sort, but I can’t remember know what it was called.

  5. Thank you, good explanation. I used yours for my raspberry server and owncloud.

    But don’t forget to have NCSD running

    Name Service Cache Daemon service

    This caches the authentications on the server (server-side). Otherwise, pam auth is rather slow (especially when navigating through folder indexes) because un-passwd check is performed for each access (done in background by your browser/client-side).

  6. Pingback: Ubuntu:Providing HTTPS access to multi-user SFTP server – Ubuntu Linux Questions

  7. Hello,

    The group version does not work for me.

    I have the following error message in apache2′s error.log :
    AH01664: No group file was specified in the configuration

    Have you some ideas ?


Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>