My small web server is now mostly working, but I'm having a very strange problem. I can *usually* add user accounts from the Shell using htpasswd, and they can log in successfully.
Except when I can't.
In *some" cases, usernames are added to the password file, and the password verifies correctly (using 'htppasswd -v ...'), but Apache still throws an error, e.g.:
[Sat Apr 29 17:12:10.790251 2023] [authz_core:error] [pid 17622:tid 17769] [client 82.69.61.82:40716] AH01631: user notatest: authorization failure for "/":
(NB: "authorization failure", not "authentication failure" as with a password mismatch.)
Since these are all fictitious users (i.e. not local UIDs) I don't understand what's going on. Either it should always work or always fail.
Suggestions welcome.
poc
On Sat, 2023-04-29 at 17:39 +0100, Patrick O'Callaghan wrote:
In *some" cases, usernames are added to the password file, and the password verifies correctly (using 'htppasswd -v ...'), but Apache still throws an error, e.g.:
[Sat Apr 29 17:12:10.790251 2023] [authz_core:error] [pid 17622:tid 17769] [client 82.69.61.82:40716] AH01631: user notatest: authorization failure for "/":
(NB: "authorization failure", not "authentication failure" as with a password mismatch.)
Since these are all fictitious users (i.e. not local UIDs) I don't understand what's going on. Either it should always work or always fail.
I can't say that I've experienced that. Are there unusual (non-ASCII) characters in the username or passwords that fail oddly?
On Sat, 2023-04-29 at 17:39 +0100, Patrick O'Callaghan wrote:
In *some" cases, usernames are added to the password file, and the password verifies correctly (using 'htppasswd -v ...'), but Apache still throws an error, e.g.:
[Sat Apr 29 17:12:10.790251 2023] [authz_core:error] [pid 17622:tid 17769] [client 82.69.61.82:40716] AH01631: user notatest: authorization failure for "/":
(NB: "authorization failure", not "authentication failure" as with a password mismatch.)
Further thoughts... That error sound backwards.
A password mismatch ought to be authorisation failure (you are not authorised). An authentication failure would be some other problem (it can't do the authentication).
Are all the failures for trying to access the same thing?
The .htpasswd file should be outside of the webserving tree. Are you sure you're only using one file, or are correctly specifying the right one?
The .htaccess files which mention which .htpasswd file to use should use the full filepath to the .htpasswd file. And mention the correct type of authentication being used (bearing in mind that only some methods are actually usable). And you have to use the same scheme when creating the passwords.
AuthType Basic AuthName "Secure space" AuthUserFile /var/www/.htpasswd Require valid-user Satisfy All
Have you looked through Apache's own docs regarding it? e.g. https://httpd.apache.org/docs/2.4/programs/htpasswd.html
On Sun, 2023-04-30 at 06:10 +0930, Tim via users wrote:
On Sat, 2023-04-29 at 17:39 +0100, Patrick O'Callaghan wrote:
In *some" cases, usernames are added to the password file, and the password verifies correctly (using 'htppasswd -v ...'), but Apache still throws an error, e.g.:
[Sat Apr 29 17:12:10.790251 2023] [authz_core:error] [pid 17622:tid 17769] [client 82.69.61.82:40716] AH01631: user notatest: authorization failure for "/":
(NB: "authorization failure", not "authentication failure" as with a password mismatch.)
Further thoughts... That error sound backwards.
I figured it out, see below.
A password mismatch ought to be authorisation failure (you are not authorised). An authentication failure would be some other problem (it can't do the authentication).
I don't think so. Authentication is about identifying the user, authorisation is deciding what they can do.
Are all the failures for trying to access the same thing?
Yes, and so are the successes.
The .htpasswd file should be outside of the webserving tree. Are you sure you're only using one file, or are correctly specifying the right one?
Yes and yes.
The .htaccess files which mention which .htpasswd file to use should use the full filepath to the .htpasswd file. And mention the correct type of authentication being used (bearing in mind that only some methods are actually usable). And you have to use the same scheme when creating the passwords.
AuthType Basic AuthName "Secure space" AuthUserFile /var/www/.htpasswd Require valid-user Satisfy All
The problem is that I was specifying a Group file and had Require Group. Any user not in the Group file would fail. I've removed that requirement and it works now.
Frankly, the Apache error log could be more informative ...
(BTW "Satisfy All" is no longer necessary. It's supported for backward compatibility.)
Thanks again.
poc
Tim:
A password mismatch ought to be authorisation failure (you are not authorised). An authentication failure would be some other problem (it can't do the authentication).
Patrick O'Callaghan:
I don't think so. Authentication is about identifying the user, authorisation is deciding what they can do.
Not on my server. Well, it's semantics. If I don't enter the password, or try the wrong one, it's an authentication ERROR, and I am not authorised.
------------------- 401 error (proper authorisation is required)
Authentication error information
The resource you tried to retrieve requires you to provide username and password credentials, but your request either didn't include them, or didn't include them properly. -------------------
And the logs will have something like:
[Sun Apr 30 15:49:14.261826 2023] [auth_basic:error] [pid 18610] [client 192.168.1.1:36072] AH01618: user gfgaa not found: /personal/testbox/strong/
I wouldn't call that an auth failure, it's actually doing its job.
If I configure the server incorrectly, I may get a 500 error, but that will be an authentication failure (it can't do the job).
e.g. If I try to use MD5 when it's not possible, I will get a 500 error
----------------------- 500 Internal Server Error Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. ------------------------
And this in the logs:
[Sun Apr 30 15:44:36.485184 2023] [authn_core:error] [pid 19426] [client 192.168.1.1:36034] AH01796: AuthType MD5 configured without corresponding module
On Sun, 2023-04-30 at 15:58 +0930, Tim via users wrote:
Tim:
A password mismatch ought to be authorisation failure (you are not authorised). An authentication failure would be some other problem (it can't do the authentication).
Patrick O'Callaghan:
I don't think so. Authentication is about identifying the user, authorisation is deciding what they can do.
Not on my server. Well, it's semantics. If I don't enter the password, or try the wrong one, it's an authentication ERROR, and I am not authorised.
Of course. Authorization depends on authentication.
401 error (proper authorisation is required)
Authentication error information
Exactly. An authentication error.
The resource you tried to retrieve requires you to provide username and password credentials, but your request either didn't include them, or didn't include them properly.
And the logs will have something like:
[Sun Apr 30 15:49:14.261826 2023] [auth_basic:error] [pid 18610] [client 192.168.1.1:36072] AH01618: user gfgaa not found: /personal/testbox/strong/
I wouldn't call that an auth failure, it's actually doing its job.
By "authorization failure" I simply mean "the user failed to authenticate themselves", not that there's necessarily something wrong with Apache.
If I configure the server incorrectly, I may get a 500 error, but that will be an authentication failure (it can't do the job).
e.g. If I try to use MD5 when it's not possible, I will get a 500 error
500 Internal Server Error Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request.
And this in the logs:
[Sun Apr 30 15:44:36.485184 2023] [authn_core:error] [pid 19426] [client 192.168.1.1:36034] AH01796: AuthType MD5 configured without corresponding module
In this case that would be an internal issue, manifested as an authentication error. It's unfortunate that both terms have the prefix "auth" and the message could be clearer. However that's not what I'm talking about in this case.
An *authorization error" would be where I can log in but can't use some resource because I don't have the proper access rights. In my case I couldn't log in, so the question of authorization didn't arise.
Cheers
poc
-
Patrick O'Callaghan -
Tim