AuthShadow

The apache module, mod-auth-shadow, for verifying passwords from /etc/shadow is only useable in its most recent form with apache. More importantly, it does not work with apache2.

/etc/shadow is the ancestor of /etc/passwd. It has evolved by keeping the password hashes in a file only accessible to the proper users. AuthShadow is important because the alternative is using auth-pam, which requires direct access to /etc/shadow. This means that the apache user must have read access to /etc/shadow and that is a very dangerous proposition. Hypothetically, if your server were compromised the attacker would then have your password file for cracking at their leisure. AuthShadow solves this by using an intermediary script that is executable by the apache user but owned by root.

However, there is an rpm build available for apache2 (which does not work for me using debian/ubuntu, but alien solves that issue). It is available from rpmfind.net. The problem here is that it is not the latest version of AuthShadow (2.1). This leads to issues because of a uid verification bug in the intermediate script. The latest version that avoids this bug is 2.0.54. The error from syslog or system.log is "validate: FAILED VALIDATE: caller uid mismatch, must be 65535 not 33" or something to that effect.

To solve this issue I downloaded the source for 2.1 from their sourceforge page and used the included make file to do a "sudo make validate" and replace the validate script in /usr/sbin/.

Once this works it can be used in sites-available/configuration instead of AuthUserFile (a file made with htpasswd.) In addition, any user that has an account on the server can now be validated with "require valid-user" or "require user username". This is fantastic in a combination with web_dav and/or subversion repos. For subversion, you would probably want to research the use of Authz to control directory by directory permissions for subversion repositories.