mod_authnz_external 3.1.0 review

by on

mod_authnz_external is an Apache module used for authentication

License: GPL (GNU General Public License)
File size: 167K
Developer: Jan Wolter
0 stars award from

mod_authnz_external is an Apache module used for authentication. The two modules provide basically the same functionality, and differ mainly in the way they interface to other authentication code in Apache.

For Apache 2.1 and later, mod_authnz_external should be prefered.

The Apache HTTP Daemon can be configured to require users to supply logins and passwords before accessing pages in some directories. Authentication is the process of checking if the password given is correct for a user. Apache has standard modules for authenticating out of several different kinds of databases. The external authentication module provides a flexible tool for creating authentication systems based on other databases.

The module can be used in either of two somewhat divergent ways:

External Authentication:
When a user supplies a login and password, mod_auth*_external runs a program you write, passing it the login and password. Your program does whatever checking and logging it needs to, and then returns a Accept/Reject flag to Apache.
This is slower than doing the authentication internally because it has the overhead of launching an external program for each authentication. However, there are at least two situations where it is very useful:

Rapid prototyping. Mod_auth*_external makes a very nice swiss army knife authenticator. You can quickly put together custom authentication systems for many weird authentication applications. The external authentication program can be a shell script or perl program. It can be written without knowing much about building Apache modules. Bugs in it will not endanger the overall integrity of the Apache server.

Access restrictions. There are situations where you do not want to make your user database readable to the user-id that Apache runs under. In these cases the external authentication program can be an suid program that has access to databases Apache cannot access. For example, if you want to authentication out of a Unix shadow password database, and you aren't foolish enough to run Apache as root, a carefully written suid-root external authentication program can do the job for you. Such an authenticator for shadow password files and PAM (pwauth) is available separately.

Hardcoded Authentication:
Some hooks have been inserted into mod_auth*_external to make it easy to replace the call to the external authentication program with a call to a hardcoded internal authentication routine that you write.

This is sort of a half-way measure to just writing your own Apache module from scratch, allowing you to easily borrow some of the logic from mod_auth*_external. It's a bit more dangerous than using an external authenticator, as bugs in your module can crash Apache, but performance is usually better.

I think mod_auth*_external is the best current solution for authenticating out of shadow password files, and other similar applications. For rapid prototyping and for an easy way to build your own modules, mod_perl may be a better solution in some cases.

Apache 2.1

mod_authnz_external 3.1.0 search tags