2023-10-04
You can do Apache HTTP Basic Authentication through PAM
I recently wrote about how Apache's HTTP Basic Authentication could do with more logging. One of the reasons many other programs that do authentication have better logging is that they use PAM, and it's the PAM modules and PAM framework that's doing the logging. If Apache could use PAM for HTTP Basic Authentication, it'd get (somewhat) better logging for free. As it turns out, you actually can do this in at least three ways, with three different third party Apache modules (at least based on their documentation, I haven't tried any of them).
The most straightforward option is mod_authnz_pam, which provides authentication and authorization directly through PAM with the (PAM) service name of your choice. PAM-based authorization can potentially be used separately from authentication; you can authenticate through something else, then use PAM to obtain authorization (enabling you to play various PAM tricks).
The most general option is mod-authnz-external, which uses an external program, such as pwauth (also), and so can authenticate against PAM assuming that the external program uses PAM. Given an authenticated (Unix) user, you can then use their Unix groups for authorization. Since these are two separate modules, I suspect that you could use the Unix groups stuff with any HTTP Basic Authentication mechanism if the accounts being authenticated are actual Unix ones,
Finally we have mod_authn_sasl, which checks authentication through Cyrus SASL (aka 'libsasl' or 'libsasl2'). Cyrus SASL itself can check authentication through PAM, among many other things. People who are embarking on this path are hopefully already familiar with Cyrus SASL, but if not, maybe the Postfix documentation can be of some help.
(All three of these are currently packaged in Ubuntu 22.04 and I believe in the current Debian, although that may change in the future.)
In general, doing HTTP Basic Authentication through PAM comes with some benefits and some potential limitations. You can play a lot of tricks with PAM, although some of them won't necessarily work in a HTTP Basic Authentication environment, and it does have better logging than the non-logging of Apache. The obvious drawback is that the users you need to authenticate against have to have passwd entries on your web server, and you'll wind up using the password that they have there. But if you're authenticating against your Unix logins anyway, this may be offset by the advantage of not having to build, maintain, and update your own htpasswd version of the same information; instead you get to reuse your existing password update mechanisms, and removing someone from Unix authentication automatically removes them from web server authentication as well (and has immediate effect, because of how HTTP Basic Authentication works).
The subtle drawback is that Apache is going to make a PAM check on every HTTP request that's guarded with HTTP Basic Authentication, and each PAM check is probably going to write at least one log message about it. If people visit a bunch of URLs in your access restricted area, you'll get a bunch of PAM checks and log messages. As a corollary to this, you'd better not have anything that rate-limits PAM authentications or you'll get an unpleasant surprise.
(This is unlike both web cookie-based authentication schemes and conventional PAM authentication for logins and the like. In both cases you authenticate once and then the authentication is remembered, either explicitly in your cookie or implicitly in your SSH, IMAP, etc session. HTTP Basic Authentication re-checks the password on every HTTP request because of how the core mechanism works.)