Apache Basic Authentication: Switching from htpasswd to System Accounts with Group-Based Access Control


2 views

While htpasswd files are simple to implement, they become cumbersome to maintain when dealing with multiple users or when requiring integration with system-level permissions. Here's how to transition to system account authentication while adding group-based access control.

First ensure these modules are enabled:

a2enmod authnz_external
a2enmod authz_unixgroup

Replace your current Basic Authentication block with:

AuthType Basic
AuthName "Secured System Access"
AuthBasicProvider external
AuthExternal pwauth
Require unix-group webaccess

Note the key differences from the htpasswd approach:

  • AuthBasicProvider external switches to system authentication
  • pwauth is the authentication helper (requires installation)
  • unix-group restriction limits access to specific system groups

On Debian/Ubuntu systems:

sudo apt install libapache2-mod-authnz-external pwauth

For RHEL/CentOS:

sudo yum install mod_authnz_external pwauth

Create a system group and add permitted users:

sudo groupadd webaccess
sudo usermod -a -G webaccess username1
sudo usermod -a -G webaccess username2

Important security practices when using system authentication:

  1. Set proper permissions on pwauth (should be owned by root and have 4755 permissions)
  2. Consider PAM configuration if you need more complex authentication rules
  3. Always test authentication with non-privileged accounts first

Common issues and solutions:

# Check pwauth execution permissions
ls -l /usr/sbin/pwauth

# Test authentication directly
/usr/sbin/pwauth <<< "username:password"

For SELinux systems, you may need additional policies:

sudo setsebool -P httpd_mod_auth_pam 1

You can mix authentication methods if needed:

AuthType Basic
AuthName "Hybrid Access"
AuthBasicProvider external file
AuthExternal pwauth
AuthUserFile "/etc/apache2/fallback.passwd"
Require unix-group webaccess or valid-user

While htpasswd authentication works fine for basic scenarios, many sysadmins eventually need to integrate with system accounts for better user management. Here's how to transition from password files to PAM authentication with group-based access control.

First ensure these Apache modules are enabled:

a2enmod authnz_external
a2enmod authz_unixgroup
a2enmod authz_user

Install the PAM authentication helper:

apt-get install libapache2-mod-authnz-external pwauth

Edit /etc/pam.d/pwauth:

auth required pam_unix.so
account required pam_unix.so

Update your virtual host configuration:


<VirtualHost *:80>
    # Other directives...
    
    <Directory "/var/www/secure-area">
        AuthType Basic
        AuthName "System Authentication"
        AuthBasicProvider external
        AuthExternal pwauth
        Require unix-group webusers
    </Directory>
</VirtualHost>

Create the group and add users:

groupadd webusers
usermod -a -G webusers username1
usermod -a -G webusers username2

Verify configuration syntax and restart Apache:

apachectl configtest
systemctl restart apache2

Test with curl:

curl -u username:password http://yoursite/secure-area/
  • Ensure pwauth binary has proper permissions (root:root with 4750)
  • Use HTTPS to encrypt credentials
  • Regularly audit group membership

For newer systems, consider using:

apt-get install libapache2-mod-authnz-pam

With configuration:


AuthType Basic
AuthName "PAM Auth"
AuthBasicProvider pam
AuthPAMService apache
Require pam-group webusers