Apache 2 and HTTP Authentication with PAM

There are 2 ways(at least that I know of) to get Apache 2 to use PAM for http auth:

  • Old mod_auth_pam, which I believe is not developed anymore and also posses some security risks
  • Newer mod_authnz_external and pwauth

This little write up shows how to get Apache and PAM going on Ubuntu using the mod_authnz_external.
To get started, let’s install some packages:

sudo apt-get install libapache2-mod-authnz-external pwauth
sudo apt-get install libapache2-mod-authz-unixgroup
sudo a2enmod authnz_external authz_unixgroup

Edit config file for the Virtual Host you’d like to get them PAM-based HTTP Authentication going, such that it contains the following clause:

<IfModule mod_authnz_external.c>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe

And the final bit of configuration goes to your Directory definition inside of vhost block:

<Directory /var/www/yourlocation>
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider external
AuthExternal pwauth
Require user john

# some other configuration statements

This will allow user john to access the resource.

Now if you also want to have PAM authentication by users group you’ll need to make few extra steps. Missing bit of puzzle here is called ‘unixgroup’ script and for some reason it is not in Ubuntu’s pwauth package where it ought to be. You will need to grab it from here and copy it over to /usr/sbin/unixgroup and make it executable. Here is a quick snippet to do that:

wget "http://pwauth.googlecode.com/files/pwauth-2.3.9.tar.gz"
tar xzvf ./pwauth-2.3.9.tar.gz
sudo cp pwauth-2.3.9/unixgroup /usr/sbin/
sudo chmod a+x /usr/sbin/unixgroup

Once that’s done, you’ll need to few more lines to you Virtual Host config, so it will look something like this:

<IfModule mod_authnz_external.c>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
AddExternalGroup unixgroup /usr/sbin/unixgroup
SetExternalGroupMethod unixgroup environment


<Directory /var/www/yourlocation>
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider external
AuthExternal pwauth
GroupExternal unixgroup
Require user john# some other configuration statements

Hopefully this is helpful to someone besides myself :) Let me know if you got stock somewhere along the way.

22 thoughts on “Apache 2 and HTTP Authentication with PAM

  1. Pingback: Security for Ubuntu 12.04 and ISPConfig | Linux Master

  2. Pingback: Apache 2 and HTTP Authentication with PAM | Jerry's Home

  3. Pingback: 使用 PAM 作為 Apache Basic 驗證 | ATI的硬體&攝影網誌

  4. Hi, thx very much for that tutorial. I am using it on my linux machine. Since then I am very happy for not having two password stores.

    But this PAM module is damn slowly when loading directory listing compared to htpasswd-files…any solution/improvemts?

    • Hi there,

      To be honest I haven’t really encountered any dramatic slowdown compared to straight up htpasswd file, but I didn’t use this solution on any heavy load systems either. I remember seeing another approach to this using perl module of a sort, but I can’t remember know what it was called.

  5. Thank you, good explanation. I used yours for my raspberry server and owncloud.

    But don’t forget to have NCSD running

    Name Service Cache Daemon service

    This caches the authentications on the server (server-side). Otherwise, pam auth is rather slow (especially when navigating through folder indexes) because un-passwd check is performed for each access (done in background by your browser/client-side).

  6. Pingback: Ubuntu:Providing HTTPS access to multi-user SFTP server – Ubuntu Linux Questions

  7. Hello,

    The group version does not work for me.

    I have the following error message in apache2′s error.log :
    AH01664: No group file was specified in the configuration

    Have you some ideas ?


  8. Hi,

    thanks for this HowTo. It saved my day after a complete server crash and rebuild. Prior to this rebuild we have used Apache 2.2 and the old config did not work with 2.4. An updated version with PAM also did not work. Now everything is back on track. We use it for authentication to our SVN repositories.

  9. Hello there,

    i installed the version for one User, everthing is fine. Is there a way to authentificate all linux server users? so i have some sites where everyone of the company can access and some where only some users can access (some users is already explained :) )

    Thank you very much :)

  10. If you have them delivered simply keep in mind that at some time you will
    need to return them in the message. Some of the major cable business
    are currently doing immediate downloading likewise pay-per-view being one of one of the most popular given that
    its beginning. Your selections of how to get flicks are almost
    as varied as the variety of motion pictures themselves. Nowadays you can even buy movies on your computer and also legitimately melt them to DVD!

    Not only are there great deals of options
    for exactly how to get your films, but the sources of these flicks (as well as a lot of TELEVISION
    shows) currently consist of almost all of the major animation studio.
    They will normally contract out to internet suppliers to give the solutions for anybody who
    owns a COMPUTER and also is connected to the web, making instantaneous motion pictures simpler than ever before for the stay at residence family!
    You might even discover that if you stay in and also do activities with
    your family members, such as flick time in the house, your relative will certainly begin to reconnect.

    Do not neglect, the weather will certainly soon clear out therefore will the household.
    Take advantage of the possibility to reconnect with each other during movie time in the house before they
    all scuttle out the door until next winter months!

Leave a Reply to admin Cancel reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>