The pwauth binary is installed with the SGID bit set. It should be SUID instead.
Here is a patch that resolves the issue for me: <snip> --- debian/rules 2012-12-05 12:01:02.043035975 +1100 +++ debian/rules.orig 2012-12-05 12:04:28.501524220 +1100 @@ -13 +13 @@ - chmod 4755 $(CURDIR)/debian/pwauth/usr/sbin/pwauth + chmod 2755 $(CURDIR)/debian/pwauth/usr/sbin/pwauth <snip> Here's the test: tmclaughlin@localhost:~/src$ sudo su - www-data No directory, logging in with HOME=/ $ /usr/sbin/pwauth tmclaughlin s3cr3tpa$$word $ echo $? 0 For a quick workaround, simply "chmod 4755 /usr/sbin/pwauth". Now I can authenticate Apache the way I want :) Thanks all, Toby.