Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Apache mod-auth-mysql with phpass encrypted password (Wordpress)

I need to have password protection on some web pages outside of the main Wordpress site. The users would prefer to use the usernames and passwords they already have in the Wordpress.

The obvious solution would seem to be to use the Apace module for Mysql based authentication: mod-auth-mysql.

This however does not seem to be possible, because Wordpress uses Phpass password encryption, which is not supported by mod-auth-mysql.

  • http://modauthmysql.sourceforge.net/CONFIGURE
  • http://www.openwall.com/phpass/
  • https://wordpress.stackexchange.com/questions/32004/how-to-validate-wordpress-generated-password-in-db-using-php

Is there any way to get around this limitation?

like image 694
Peter Lamberg Avatar asked Jan 16 '23 12:01

Peter Lamberg


1 Answers

You can use a patched version of mod-auth-mysql to accept Phpass encrypted passwords. I'll include instructions on how to do this in ubuntu and debian.

The raw patch file is available here

Patching Mod-auth-mysql in Ubuntu/Debian to support Phpass

These instructions have been tested in Ubuntu 10.4, 12.04 and 14.04.5, but should work on many other Debian based platforms with minimal changes.

Create a working directory for building the patched .deb package

mkdir mod-auth-mysql-phpass
cd mod-auth-mysql-phpass

Get dependencies needed for building the package and the package source.

sudo apt-get build-dep mod-auth-mysql fakeroot
apt-get source mod-auth-mysql

Go to the newly created source folder.

cd mod-auth-mysql-4.3.9

Use Debian tool to create a properly debian formatted patch (.dpatch). First check the current list of patches.

cat debian/patches/00list

The last official patch will be at the end of the list. Use the name of the last patch as the last argument of dpatch-edit-patch command below. Also pick a number one greater for the name of the new phpass patch. In my case the last patch in the list was 017-doc_persistent_conn.dpatch and the name of phpass patch is then 018-phpass.

dpatch-edit-patch patch 018-phpass 017-doc_persistent_conn.dpatch

dpatch-edit-patch will start a new shell inside a special folder that it will use to build the custom debian formatted patch.

download the raw patch

wget https://pelam.fi/published_sources/mod-auth-mysql-phpass/patch.diff

Apply the raw patch and delete it.

patch < patch.diff
rm patch.diff

Tell dpatch-edit-patch that our custom patch can be generated.

exit

Wonder at your new properly Debian formatted patch. You should also review the changes made by this unofficial patch if you care about security :)

cat debian/patches/018-phpass.dpatch 

Add the new patch to the list of patches to be applied when .deb package is built.

echo 018-phpass.dpatch >> debian/patches/00list 

Build the patched package

dpkg-buildpackage -b -uc

Now you can install your custom built .deb package (the built package name may vary depending on your system).

sudo dpkg --install ../libapache2-mod-auth-mysql_4.3.9-13.1ubuntu3_amd64.deb

Configuring Mod-auth-mysql to Authenticate Against Wordpress Using Phpass

Enable mod-auth-mysql:

sudo a2enmod auth_mysql

Restart apache for the new module to take effect:

sudo service apache2 restart

The documentation (Now including Phpass) can be viewed with eg. less command

zless /usr/share/doc/libapache2-mod-auth-mysql/DIRECTIVES.gz

Here is a sample .htaccess file that allows access only for Wordpress administrators:

AuthType Basic
AuthName "Give Wordpress Administrator username and password"

Auth_MySQL_User YOUR_MYSQL_USER_HERE
Auth_MySQL_Password YOUR_MYSQL_PASSWORD_HERE
Auth_MySQL_Host YOUR_MYSQL_SERVER_HERE

AuthBasicAuthoritative Off
# I don't know a better way to disable the default password file authentication
AuthUserFile /dev/null
Auth_MySQL on
Auth_MySQL_DB YOUR_WORDPRESS_MYSQL_SCHEMA_NAME_HERE
Auth_MySQL_Password_Table wp_users
Auth_MySQL_Username_Field wp_users.user_login
Auth_MySQL_Password_Field wp_users.user_pass
Auth_MySQL_Encryption_Types PHPass PHP_MD5

Auth_MySQL_Group_Table "wp_users, wp_usermeta"
Auth_MySQL_Group_Clause "AND wp_users.ID = wp_usermeta.user_id AND wp_usermeta.meta_key='wp-capabilities' and m.meta_value like '%s:13:\"administrator\"%'"
Auth_MySQL_Persistent On
Auth_MySQL_Authoritative Off
Auth_MySQL_CharacterSet utf8

Require valid-user
Order allow,deny
Allow from all
like image 159
Peter Lamberg Avatar answered Jan 30 '23 21:01

Peter Lamberg