How to get mod_auth_pam running on Apache 2.2.x.

mod_auth_pam is not supported and/or developed any longer and the latest available version works only with apache 2.0.x. The new apache 2.2 uses a new authentication mechanism and the old mod_auth_pam does not work, if you only install it to your local apache and use it with the follow configuration:

  1.  AuthPAM_Enabled On
  2.   AuthPAM_FallThrough Off
  3.   AuthType Basic
  4.   AuthName "Testingarea"

You have to turn off the new apache 2.2 basic authentication to get the module up and running. You can do this in two different ways. The first one is to disable the whole module, the second and better one is to disable it through a directive.

For the first solution, you can use the tool a2dismod to disable the module mod_auth_basic.

For the second way, you have to add this lines to the configuration above.

  1. AuthPAM_Enabled On
  2. AuthPAM_FallThrough Off
  3. AuthBasicAuthoritative Off

In the second way, the error.log of apache shows the following lines:

  1. [Wed Feb 21 20:01:35 2007] [error] Internal error: pcfg_openfile() called with NULL filename
  2. [Wed Feb 21 20:01:35 2007] [error] [client 192.168.0.201] (9)Bad file descriptor: Could not open password file: (null)

The positive message is: you can ignore them ;-) It means, that the mod_auth_pam does not register an AuthBasicProvider and therefore it is null and crashes. Not nice, but it works.

9 thoughts on “How to get mod_auth_pam running on Apache 2.2.x.

  1. Thanx, for the detailed information on how to get the PAM plugin to work again and saving me a lot of time figuring out this weird pcfg_openfile() error.

  2. Thanks for the info, you saved me lots of head scratching. Also I found if you add the directive (in addition to your second method):

    AuthUserFile /dev/null

    the error messages are no longer added to the apache log file.

  3. Not working for me. Anyone else experiencing this?

    Fedora 8 – Apache/2.2.6

    AuthPAM_Enabled On
    AuthPAM_FallThrough Off
    AuthBasicAuthoritative Off
    AuthType Basic
    AuthName “Testingarea”
    require group staff

    If I’m missing something please email.

  4. Don’t forget to give apache user (usually nobody or www-data) read perms to /etc/shadow file adding that user to the shadow group:
    usermod -G shadow www-data
    or
    usermod -G shadow nobody

  5. Hello all!

    First of all, thx a lot for the detailed explanations about the configuration. Unfortunately, it is not working for me at all… I have the following conf:

    Listen 44444
    NameVirtualHost *:44444

    AuthType Basic
    AuthBasicAuthoritative Off
    AuthName “Private Area”
    AuthPAM_Enabled On
    AuthPAM_FallThrough Off
    AuthUserFile /dev/null
    Require valid-user

    When I access :44444, I am asked for User and a Password, and when I type them, I am queried again for User and Password, and again and again…
    I have tested PAM authentication with the pamtester tool with the httpd process, and I have a Successfull Authentication, so it is not at all a matter of PAM configuration.

    Any idea?

    Thanks in advance!

Leave a Reply