Apache mod-auth-mysql with phpass encrypted password (WordPress)

I need to have password protection on some web pages outside of the main WordPress site. The users would prefer to use the usernames and passwords they already have in the WordPress.

The obvious solution would seem to be to use the Apace module for Mysql based authentication: mod-auth-mysql.

Read More

This however does not seem to be possible, because WordPress uses Phpass password encryption, which is not supported by mod-auth-mysql.

Is there any way to get around this limitation?

Related posts

Leave a Reply

1 comment

  1. You can use a patched version of mod-auth-mysql to accept Phpass encrypted passwords. I’ll include instructions on how to do this in ubuntu and debian.

    The raw patch file is available here

    Patching Mod-auth-mysql in Ubuntu/Debian to support Phpass

    These instructions have been tested in Ubuntu 10.4, 12.04 and 14.04.5, but should work on many other Debian based platforms with minimal changes.

    Create a working directory for building the patched .deb package

    mkdir mod-auth-mysql-phpass
    cd mod-auth-mysql-phpass
    

    Get dependencies needed for building the package and the package source.

    sudo apt-get build-dep mod-auth-mysql fakeroot
    apt-get source mod-auth-mysql
    

    Go to the newly created source folder.

    cd mod-auth-mysql-4.3.9
    

    Use Debian tool to create a properly debian formatted patch (.dpatch). First check the current list of patches.

    cat debian/patches/00list
    

    The last official patch will be at the end of the list. Use the name of the last patch
    as the last argument of dpatch-edit-patch command below. Also pick a number one greater for the name of the new phpass patch.
    In my case the last patch in the list was 017-doc_persistent_conn.dpatch and the name of phpass patch is then 018-phpass.

    dpatch-edit-patch patch 018-phpass 017-doc_persistent_conn.dpatch
    

    dpatch-edit-patch will start a new shell inside a special folder that
    it will use to build the custom debian formatted patch.

    download the raw patch

    wget https://pelam.fi/published_sources/mod-auth-mysql-phpass/patch.diff
    

    Apply the raw patch and delete it.

    patch < patch.diff
    rm patch.diff
    

    Tell dpatch-edit-patch that our custom patch can be generated.

    exit
    

    Wonder at your new properly Debian formatted patch. You should also
    review the changes made by this unofficial patch if you care about security 🙂

    cat debian/patches/018-phpass.dpatch 
    

    Add the new patch to the list of patches to be applied when .deb package is built.

    echo 018-phpass.dpatch >> debian/patches/00list 
    

    Build the patched package

    dpkg-buildpackage -b -uc
    

    Now you can install your custom built .deb package (the built package name may vary depending on your system).

    sudo dpkg --install ../libapache2-mod-auth-mysql_4.3.9-13.1ubuntu3_amd64.deb
    

    Configuring Mod-auth-mysql to Authenticate Against WordPress Using Phpass

    Enable mod-auth-mysql:

    sudo a2enmod auth_mysql
    

    Restart apache for the new module to take effect:

    sudo service apache2 restart
    

    The documentation (Now including Phpass) can be viewed with eg. less command

    zless /usr/share/doc/libapache2-mod-auth-mysql/DIRECTIVES.gz
    

    Here is a sample .htaccess file that allows access only for WordPress administrators:

    AuthType Basic
    AuthName "Give WordPress Administrator username and password"
    
    Auth_MySQL_User YOUR_MYSQL_USER_HERE
    Auth_MySQL_Password YOUR_MYSQL_PASSWORD_HERE
    Auth_MySQL_Host YOUR_MYSQL_SERVER_HERE
    
    AuthBasicAuthoritative Off
    # I don't know a better way to disable the default password file authentication
    AuthUserFile /dev/null
    Auth_MySQL on
    Auth_MySQL_DB YOUR_WORDPRESS_MYSQL_SCHEMA_NAME_HERE
    Auth_MySQL_Password_Table wp_users
    Auth_MySQL_Username_Field wp_users.user_login
    Auth_MySQL_Password_Field wp_users.user_pass
    Auth_MySQL_Encryption_Types PHPass PHP_MD5
    
    Auth_MySQL_Group_Table "wp_users, wp_usermeta"
    Auth_MySQL_Group_Clause "AND wp_users.ID = wp_usermeta.user_id AND wp_usermeta.meta_key='wp-capabilities' and m.meta_value like '%s:13:"administrator"%'"
    Auth_MySQL_Persistent On
    Auth_MySQL_Authoritative Off
    Auth_MySQL_CharacterSet utf8
    
    Require valid-user
    Order allow,deny
    Allow from all