[Solved] username / password authentication
Added by drkbkr about 6 years ago
Hi, We're having some trouble with username / password authentication and was wondering if anyone could help. I've stripped pieces of the configuration out (and changed the backend to plain) so it's as simple as possible.
Partly what I'm asking for help with is just debugging, but if I'm doing anything obviously wrong pointing that out would be appreciated.
Relevant information:
uname -a Linux buildroot 4.9.0-xilinx #1 SMP PREEMPT Wed Mar 28 12:34:04 EDT 2018 armv7l GNU/Linux
lighttpd -v lighttpd/1.4.48 (ssl) - a light and fast webserver
cat /etc/lighttpd/lighttpd-no-apps.config
server.errorlog = "/var/log/lighttpd_error.log"
accesslog.filename = "/var/log/lighttpd_access.log"
server.modules = (
"mod_accesslog",
"mod_auth",
"mod_authn_file"
)
auth.backend = "plain"
auth.backend.plain.userfile = "/etc/lighttpd/.lighttpd_plain_passwd"
auth.require = ("/test" =>
(
"method" => "basic",
"realm" => "Enter password",
"require" => "valid-user"
)
)
server.document-root="/var/www"
mimetype.assign = (
".html" => "text/html"
)
index-file.names = ( "index.html" )
cat /etc/lighttpd/.lighttpd_plain_passwd foo:foo
lighttpd is started (as root) with this command:
/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd-no-apps.config
Then I run curl:
curl -v -u foo:foo http://192.168.1.2/test
* Trying 192.168.1.2...
* TCP_NODELAY set
* Connected to 192.168.1.2 (192.168.1.2) port 80 (#0)
* Server auth using Basic with user 'foo'
> GET /test HTTP/1.1
> Host: 192.168.1.2
> Authorization: Basic Zm9vOmZvbw==
> User-Agent: curl/7.59.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Enter password", charset="UTF-8"
< Content-Type: text/html
< Content-Length: 351
< Date: Wed, 18 Apr 2018 15:03:54 GMT
< Server: lighttpd/1.4.48
<
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>401 - Unauthorized</title>
</head>
<body>
<h1>401 - Unauthorized</h1>
</body>
</html>
* Connection #0 to host 192.168.1.2 left intact
In the error log I find:
2018-04-18 15:03:54: (mod_auth.c.525) password doesn't match for /test username: foo, IP: 192.168.1.3
Thanks in advance,
Derek
Replies (7)
RE: username / password authentication - Added by gstrauss about 6 years ago
The config works fine -- I just tested it as a non-root user on a high port. (I am running lighttpd 1.4.49 + dev branch, but should be the same behavior)
Make sure you have properly restarted lighttpd and verify that you are using 'foo' (without quotes) as password, based on the info you provided above.
RE: username / password authentication - Added by drkbkr about 6 years ago
Thanks.
I don't use curl often but I think the command
curl -v -u foo:foo http://192.168.1.2/testshould send the user name and password as expected.
And I think
killall lighttpd, confirming it's not running anymore, then running
/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd-no-apps.configshould start it up correctly. But I've also rebooted and let the init system start it up too.
I think for my sanity's sake I'll rebuild lighttpd with some extra debug output so I can see what it's comparing when it's matching passwords. Maybe we have some really weird network and / or file system problem.
RE: username / password authentication - Added by gstrauss almost 6 years ago
Check the contents of /etc/lighttpd/.lighttpd_plain_passwd and maybe check your editor.
Rewrite the file with: $ echo foo:foo > /etc/lighttpd/.lighttpd_plain_passwd
The following works fine for me$ curl -u foo:foo http://127.0.0.1:8080/test
with lighttpd.conf
server.port = 8080
server.document-root = "/var/www"
index-file.names = ( "index.html" )
mimetype.assign = ( ".html" => "text/html" )
server.modules = ( "mod_auth", "mod_authn_file" )
auth.backend = "plain"
auth.backend.plain.userfile = "/etc/lighttpd/.lighttpd_plain_passwd"
auth.require = ("/test" =>
("method" => "basic", "realm" => "Enter password", "require" => "valid-user" )
)
RE: username / password authentication - Added by drkbkr almost 6 years ago
Some new information:
I added the line
log_error_write(srv, __FILE__, __LINE__, "sb", "username is", username);at line 505 of mod_auth.c.
When I use foo:foo in the curl command,
2018-04-19 13:24:34: (mod_auth.c.505) username is foo:foo?\xfdis written to the log.
When I use foo:fo in the curl command,
2018-04-19 13:24:41: (mod_auth.c.505) username is foo:fois written to the log.
After some experimentation we've come to the conclusion that if the length of that username string (including the colon) isn't a multiple of 3, something is padding the end of the string.
Some other info: we're building lighttpd for arm (little endian) using buildroot, which is using the Linaro ARM 2017.11 compiler.
Thanks again for your help.
Derek
RE: username / password authentication - Added by drkbkr almost 6 years ago
And a bit more.
I've also printed out the authentication header:
log_error_write(srv, __FILE__, __LINE__, "sb", "ds is: ", ds->value);on line 466 of mod_auth.c. That value matches what curl is sending. I took that value (Zm9vOmZvbw==) and passed it through the
base64 command and get foo:foo in response. But when it goes through buffer_append_base64_decode in base64.c it comes out padded with the extra characters.RE: username / password authentication - Added by avij almost 6 years ago
https://github.com/lighttpd/lighttpd1.4/commit/d4083effab0f9bf76528d5c47198b17e7471ed13 is probably related. This bug affects base64 decode on some unusual CPU architectures.
Applying the patch or upgrading to 1.4.49 should resolve your issue.
RE: username / password authentication - Added by drkbkr almost 6 years ago
Thanks guys, the patch got it fixed up.