Apache mod-auth-mysql with phpass encrypted password (WordPress)

1 comment

1. You can use a patched version of mod-auth-mysql to accept Phpass encrypted passwords. I’ll include instructions on how to do this in ubuntu and debian.

   The raw patch file is available here

   Patching Mod-auth-mysql in Ubuntu/Debian to support Phpass

   These instructions have been tested in Ubuntu 10.4, 12.04 and 14.04.5, but should work on many other Debian based platforms with minimal changes.

   Create a working directory for building the patched .deb package

   mkdir mod-auth-mysql-phpass
   cd mod-auth-mysql-phpass
   

   Get dependencies needed for building the package and the package source.

   sudo apt-get build-dep mod-auth-mysql fakeroot
   apt-get source mod-auth-mysql
   

   Go to the newly created source folder.

   cd mod-auth-mysql-4.3.9
   

   Use Debian tool to create a properly debian formatted patch (.dpatch). First check the current list of patches.

   cat debian/patches/00list
   

   The last official patch will be at the end of the list. Use the name of the last patch
   as the last argument of dpatch-edit-patch command below. Also pick a number one greater for the name of the new phpass patch.
   In my case the last patch in the list was 017-doc_persistent_conn.dpatch and the name of phpass patch is then 018-phpass.

   dpatch-edit-patch patch 018-phpass 017-doc_persistent_conn.dpatch
   

   dpatch-edit-patch will start a new shell inside a special folder that
   it will use to build the custom debian formatted patch.

   download the raw patch

   wget https://pelam.fi/published_sources/mod-auth-mysql-phpass/patch.diff
   

   Apply the raw patch and delete it.

   patch < patch.diff
   rm patch.diff
   

   Tell dpatch-edit-patch that our custom patch can be generated.

   exit
   

   Wonder at your new properly Debian formatted patch. You should also
   review the changes made by this unofficial patch if you care about security 🙂

   cat debian/patches/018-phpass.dpatch 
   

   Add the new patch to the list of patches to be applied when .deb package is built.

   echo 018-phpass.dpatch >> debian/patches/00list 
   

   Build the patched package

   dpkg-buildpackage -b -uc
   

   Now you can install your custom built .deb package (the built package name may vary depending on your system).

   sudo dpkg --install ../libapache2-mod-auth-mysql_4.3.9-13.1ubuntu3_amd64.deb
   

   Configuring Mod-auth-mysql to Authenticate Against WordPress Using Phpass

   Enable mod-auth-mysql:

   sudo a2enmod auth_mysql
   

   Restart apache for the new module to take effect:

   sudo service apache2 restart
   

   The documentation (Now including Phpass) can be viewed with eg. less command

   zless /usr/share/doc/libapache2-mod-auth-mysql/DIRECTIVES.gz
   

   Here is a sample .htaccess file that allows access only for WordPress administrators:

   AuthType Basic
   AuthName "Give WordPress Administrator username and password"
   
   Auth_MySQL_User YOUR_MYSQL_USER_HERE
   Auth_MySQL_Password YOUR_MYSQL_PASSWORD_HERE
   Auth_MySQL_Host YOUR_MYSQL_SERVER_HERE
   
   AuthBasicAuthoritative Off
   # I don't know a better way to disable the default password file authentication
   AuthUserFile /dev/null
   Auth_MySQL on
   Auth_MySQL_DB YOUR_WORDPRESS_MYSQL_SCHEMA_NAME_HERE
   Auth_MySQL_Password_Table wp_users
   Auth_MySQL_Username_Field wp_users.user_login
   Auth_MySQL_Password_Field wp_users.user_pass
   Auth_MySQL_Encryption_Types PHPass PHP_MD5
   
   Auth_MySQL_Group_Table "wp_users, wp_usermeta"
   Auth_MySQL_Group_Clause "AND wp_users.ID = wp_usermeta.user_id AND wp_usermeta.meta_key='wp-capabilities' and m.meta_value like '%s:13:"administrator"%'"
   Auth_MySQL_Persistent On
   Auth_MySQL_Authoritative Off
   Auth_MySQL_CharacterSet utf8
   
   Require valid-user
   Order allow,deny
   Allow from all
   

   Log in to Reply