The stock mod_auth_mysql package in Ubuntu is not able to authenticate against the phpass password hashes stored in the WordPress database.
There seems to be a patch lying around to enable phpass authentication in mod_auth_mysql. Its inclusion in mod_auth_mysql has been requested a long time ago, and again more recently, but for one reason or another it has been declined. Inclusion of the patch into the Debian package has also been requested.
Thanks to Peter Lamberg, there are good instructions around on how to apply the patch and enable it. I’ve made available a pre-compiled 64-bit package here:
Below are the instructions to compile one from scratch, and after it follows an example configuration.
Please remember, it is always a good practice to use SSL/TLS protection when sending user authentication information over the Internet.
Table of Contents
Compiling a Patched Package in Ubuntu 12.04
Make a working directory:
1 2 |
mkdir mod-auth-mysql-phpass cd mod-auth-mysql-phpass |
Get the dependencies and source code for mod_auth_mysql:
1 2 |
sudo apt-get build-dep mod-auth-mysql apt-get source mod-auth-mysql |
Also install fakeroot for the patching to be successful:
1 |
sudo apt-get install fakeroot |
Go to the source code:
1 |
cd mod-auth-mysql-4.3.9 |
Check patch list:
1 |
cat debian/patches/00list |
Add a new patch with the last patch in the list as the base (for me it was number 17):
1 |
dpatch-edit-patch patch 018-phpass 017-doc_persistent_conn.dpatch |
It should print something like this:
1 2 3 4 5 |
dpatch-edit-patch: Now launching an interactive shell in your work directory. Edit your files. When you are done, exit the shell. When you exit the shell, your patch will be automatically updated based on the changes in your work directory. |
Download the patch:
1 |
wget http://pelam.fi/published_sources/mod-auth-mysql-phpass/patch.diff |
Apply patch, then delete it:
1 2 |
patch < patch.diff rm patch.diff |
Exit dpatch-edit-patch:
1 |
exit |
It should print something like this:
1 |
dpatch-edit-patch: /home/user/mod-auth-mysql-phpass/mod-auth-mysql-4.3.9/debian/patches/018-phpass.dpatch created. |
Add the new patch to the end of the patch list:
1 |
echo 018-phpass.dpatch >> debian/patches/00list |
Build the patched version:
1 |
dpkg-buildpackage -b -uc |
The package should appear one level up in the directory tree:
1 |
cd .. |
Installing the Patched .deb
Just install:
1 |
sudo dpkg --install libapache2-mod-auth-mysql_4.3.9-13ubuntu3_amd64.deb |
And make sure it is not upgraded automatically:
1 |
echo "libapache2-mod-auth-mysql hold" | sudo dpkg --set-selections |
Configuring the Patched mod_auth_mysql
Enable the module:
1 |
sudo a2enmod auth_mysql |
Read the documentation:
1 |
less /usr/share/doc/libapache2-mod-auth-mysql/DIRECTIVES.gz |
Create a directory for protected files:
1 |
mkdir /var/www/protected |
Configure either using .htaccess file /var/www/protected/.htaccess (you must have “AllowOverride AuthConfig Limit” enabled for this to work), or directly to Apache configuration:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# Disable file-based auth AuthBasicAuthoritative Off AuthUserFile /dev/null # Enable MySQL auth AuthMySQL On AuthType Basic AuthName "Unauthorized use prohibited" # Basic information - fill in your own details here Auth_MySQL_User DB_USER Auth_MySQL_Password DB_PASSWORD Auth_MySQL_Host DB_HOST Auth_MySQL_DB DB_NAME Auth_MySQL_CharacterSet utf8 # The table and fields to use Auth_MySQL_Password_Table wp_users Auth_MySQL_Username_Field wp_users.user_login Auth_MySQL_Password_Field wp_users.user_pass Auth_MySQL_Encryption_Types PHPass PHP_MD5 # This is where we need the patch # Any user found in the table can log in Require valid-user # Users can log in from anywhere Order allow,deny Allow from all |
Replace the DB_* values with values of your own (you can use the same values you have in wp-config.php).
Add a test file:
1 |
echo "test" > /var/www/protected/test.txt |
Restart Apache:
1 |
sudo service apache2 restart |
Now you should be prompted for username and password when you try to fetch the test file. Also, you should be able to log in with your WordPress username and password but with nothing else.
Protecting WordPress with http Authentication
At first it may sound silly, but you may wish to protect the WordPress installation itself using http authentication. This configuration is useful, if you want each user to only log in once anywhere on your site (inside or outside of WordPress) using http authentication.
To make WordPress recognize http-authenticated users, install the HTTP Authentication plugin to WordPress. Then, enable the plugin. The plugin needs no further configuration. Just protect what you want with Apache directives. You can protect the whole site, or just the wp-login.php file and wp-admin directory to protect logins and administration with http auth.
One thought on “Apache HTTP authentication against WordPress password database”