>Number: 4700 >Category: mod_auth-any >Synopsis: Basic Authentication - Correct Username/Password pairs never >accepted >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Jul 5 14:50:00 PDT 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.6 >Environment: uname -a: Linux xxx.xxx.xxx.xxx 2.2.3 #8 SMP Wed Apr 7 16:12:59 CDT 1999 i686 unknown
gcc --version: 2.7.2.3 ldd httpd: libm.so.5 => libm.so.5.0.9 libcrypt.so.1 => libcrypt-2.0.7.so libc.so.6 => libc-2.0.7.so /lib/ld-linux.so.2 => ld-2.0.7.so >Description: Upgraded from 1.3.4 to 1.3.6 Basic Authentication with one user in one group User is never allowed access Nothing ever logged in either the Root Server or Virtual Host error log files >How-To-Repeat: (Not) working example currently at http://passwdtest.daughtkom.com/ Use Apache version 1.3.6 /usr/httpd/conf/httpd.conf: # This is my configuration of compiled in modules Alias /icons/ /usr/httpd/icons/ IndexOptions FancyIndexing IconHeight IconWidth NameWidth=* SuppressDescription AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip AddIconByType (TXT,/icons/text.gif) text/* [more icons types] AddIcon /icons/binary.gif .bin .exe [more icons] DefaultIcon /icons/unknown.gif ReadmeName README HeaderName HEADER IndexIgnore .??* *~ *# HEADER* README* RCS LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog /var/log/httpd/access_log common TypesConfig /etc/mime.types AddEncoding x-compress Z AddEncoding x-gzip gz AddLanguage en .en # LanguagePriority en AddType text/html .shtml AddHandler server-parsed .shtml AddHandler imap-file map BrowserMatch "Mozilla/2" nokeepalive [more browser matches] # These are my global settings AccessConfig /dev/null BindAddress * ContentDigest off CoreDumpDirectory /usr/httpd DefaultType text/plain DirectoryIndex index.html index.shtml DocumentRoot /usr/httpd/html ErrorLog /var/log/httpd/error_log Group www HostNameLookups off IdentityCheck off KeepAlive On KeepAliveTimeout 15 LogLevel crit MaxClients 256 MaxKeepAliveRequests 100 MaxRequestsPerChild 0 MaxSpareServers 10 MinSpareServers 5 PidFile /var/run/httpd.pid Port 80 ResourceConfig /dev/null ScoreBoardFile /var/run/httpd.scoreboard ServerAdmin [EMAIL PROTECTED] ServerName localhost ServerRoot /usr/httpd ServerSignature Off ServerTokens Minimal ServerType standalone StartServers 5 TimeOut 300 UseCanonicalName on User www <Directory /> AllowOverride None Deny from All Order deny,allow Options None </Directory> <Directory /usr/httpd/icons> Allow from All Order allow,deny </Directory> <Directory /usr/httpd/html> Allow from All Order allow,deny </Directory> # And finally the virtual hosts NameVirtualHost 216.178.140.50 <VirtualHost 216.178.140.50> ServerName passwdtest.daughtkom.com DocumentRoot /home/passwdtest/html ServerAdmin [EMAIL PROTECTED] LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog /home/passwdtest/var/log/access_log common ErrorLog /home/passwdtest/var/log/error_log <Directory /home/passwdtest/html> Allow from All Order allow,deny </Directory> <Directory /home/passwdtest/html/password_protected> AuthGroupFile conf/group AuthUserFile conf/passwd AuthType Basic AuthName "Test User" require group test </Directory> </VirtualHost> /usr/httpd/conf/group: test: test /usr/httpd/conf/passwd: test:C284MBhj4uIVY >Fix: Fix or document what has changed from 1.3.4 to 1.3.6 regarding authentication configuration. Thank you >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include <[EMAIL PROTECTED]> in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
