mod_auth_pam fallthrough always fails (because mod_auth_pam never returns PAM_USER_UNKNOWN)

Bug #2913 reported by Christian Reis
Affects Status Importance Assigned to Milestone
libapache-mod-auth-pam (Ubuntu)

Bug Description

At Async we use mod_auth_pam with fallthrough. The configuration looks like this:

    <Directory "/mondo/htdocs/async/wa/teia">
        AuthPAM_FallThrough on
        AuthUserFile /mondo/htdocs/async/clients/teia/.htpasswd
        Order Deny,Allow
        Deny from all
        Allow from
        AuthName "Teia secure area"
        AuthType Basic
        Require valid-user
        Satisfy Any

In other words, we want to:

  - Allow connections from
  - Use PAM authentication for other hosts
  - Failing that, use regular mod_auth for anything else

In the default Ubuntu and Debian configurations, this doesn't work.

Revision history for this message
Christian Reis (kiko) wrote :

The reason this fails is because our configuration of PAM makes mod_auth_pam never return DECLINED. The reason is that pam_authenticate() seems to never return PAM_USER_UNKNOWN. IIRC it always returns PAM_AUTH_ERR, and this email seems to confirm it:

The reply to that email, at

seems to indicate it's a bug in the pam configuration. I'm not so sure it is, but if it is, it's broken in Debian and Ubuntu because I never changed anything in /etc/pam.d/.

Changed in libapache-mod-auth-pam:
assignee: nobody → motu
Revision history for this message
Christian Reis (kiko) wrote :

The following patch works around the issue:

kiko@anthem:/mondo/src/APACHE/mod_auth_pam-1.1.1$ diff -u mod_auth_pam.c-orig mod_auth_pam.c
--- mod_auth_pam.c-orig 2004-08-27 15:22:01.000000000 -0300
+++ mod_auth_pam.c 2004-08-27 15:31:57.000000000 -0300
@@ -370,7 +370,7 @@
   if((res = pam_authenticate(pamh, PAM_DISALLOW_NULL_AUTHTOK)) !=
      PAM_SUCCESS ) {
     ap_log_reason((char*)compat_pam_strerror(pamh, res), r->uri, r);
- if(conf->fall_through && (res == PAM_USER_UNKNOWN)) {
+ if(conf->fall_through) {
       /* we don't know about the user, but other auth modules might do */
       pam_end(pamh, PAM_SUCCESS);
       return DECLINED;

I say works around because we really should only fall through if the user is unknown; it does work, though.

Revision history for this message
Christian Reis (kiko) wrote : Workaround patch

Oh, silly me, we mangle attachments. I'm reattaching a diff.

At any rate, the error message you get when failing is also pretty mangled -- there's a description of the problem and a patch at

Changed in libapache-mod-auth-pam:
status: New → Accepted
Revision history for this message
Jeoff (jeoffwilks) wrote :

I encountered this same problem, so for those just searching for the workaround, I found the solution buried in the README file for the package libapache-mod-auth-pam 1.1.1-7.1 package.

The short answer is, mod_auth is handling your "require" statements *before* mod_auth_pam, so you have to tell it to give other modules a chance by setting "AuthAuthoritative Off".

The mod_auth_pam documentation says to use "AuthPAM_FallThrough on" to allow other modules a chance to provide authentication info. That only works if mod_auth_pam is handling requests *before* mod_auth.

Revision history for this message
Steve Kowalik (stevenk) wrote :

I can see there is nothing for ubuntu-universe-sponsors to upload, so I am ubsubscribing them from this bug.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.