Is it possible to use a auth_basic password protection using linux users and passwords?

I'd like to password protect a website allowing only Linux users and their passwords stored in /etc/passwd and /etc/shaddow to login.

Apache and nginx allow to restrict accessung by using a HTTP auth_basic using specific user and password files. Is it possible to use /etc/passwd and /etc/shadow instead or keep the files in sync somehow?


Solution 1:

There are two problems with a direct approach:

the password hashes for local user accounts are stored in /etc/shadow

  • /etc/shadow has more fields than only login:hash
  • the permissions on /etc/shadow allow only the root user to read the contents and your webserver shouldn’t be running as root

So that file can’t be used with basic authentication and the most common module https://httpd.apache.org/docs/2.4/mod/mod_authn_file.html

What you can do:

  • use mod_authnz_pam to make Apache use the PAM authentication mechanism to authenticate users. https://github.com/adelton/mod_authnz_pam

  • or use mod-auth-external in combination with pwauth

https://serverfault.com/a/692619/546643

https://github.com/phokz/mod-auth-external