[Read This Fine Material] from Joshua Hoblitt

pwauth checks UID of caller and restricts the minimum UID of the account checked


After a very frustrating hour of trying to figure out why pwauth called from the Apache module mod_auth_external was failing for some user accounts but not others, I finally discovered that the source code has a default mimum UID of 500. This appears to be preserved in the package pwauth-2.3.10-1.el6.x86_64 from epel.

The error messages on failure in the apache error_log look something like this:

[Wed Aug 08 17:08:04 2012] [error] [client] user foo: authentication failure for "/bar/": Password Mismatch
[Wed Aug 08 17:08:29 2012] [error] [client] AuthExtern pwauth [/usr/bin/pwauth]: Failed (3) for user foo

The solution is to download the pwauth source and change some header values. For pwauth-2.3.10, you need to change these two values in the config.h header.

#define SERVER_UIDS 30    /* user "wwwrun" on the author's system */

#define MIN_UNIX_UID 500  /**/

On RHEL/SL/Centos, the SERVER_UID (aka, the UID of apache) is likely 48. Since I I had already installed the pwauth RPM, the installation was simple as the nessicary pam configuration was already done.

sudo mv /usr/bin/pwauth /usr/bin/pwauth.old
sudo cp ./pwauth /usr/bin/pwauth
sudo chgrp apache /usr/bin/pwauth
sudo chmod 4750 /usr/bin/pwauth
$ ls -la /usr/bin/pwauth*
-rwsr-x--- 1 root apache 20066 Aug  8 17:28 /usr/bin/pwauth
-rwsr-x--- 1 root apache  8112 May  7 18:27 /usr/bin/pwauth.old

And that fixes the UID restriction.

Leave a Reply