| kees | uuuuh, my apache's BasicAuth directives just all failed open. Cool update. | 03:41 |
|---|---|---|
| amurray | kees: eeek... I just got back from a week of leave so am playing catchup - what update are you referring to (or do you have an inkling what you just updated that could have caused this?) | 04:22 |
| kees | amurray: I haven't managed to bisect updates yet, but I assume apache updates. (there have been 3 in a week or so.) I just noticed all my sasl-backed basicauth isn't requiring any auth. | 04:40 |
| kees | I shut down my server until I'm back home to figure out what's happening | 04:40 |
| amurray | kees: what Ubuntu release(s)? | 04:43 |
| amurray | kees: I can't reproduce on focal - will try other releases too though | 05:41 |
| kees | amurray: I'm on bionic. this poor server is on bionic. I'm trying stuff now... | 05:57 |
| amurray | ok no worries - I'm trying to reproduce there as well now too | 05:59 |
| kees | welp, still broken in 2.4.29-1ubuntu4.16 so I'm going to assume something broke something else... | 06:04 |
| kees | I'll keep digging. | 06:04 |
| kees | I've just never seen BasicAuth fail _open_ before. | 06:05 |
| amurray | yep... it doesn't get much face-palmier (is that even a word) than that.. | 06:06 |
| amurray | I can't reproduce on bionic either - my test is basically: https://pastebin.ubuntu.com/p/j7nTjsnJNp/ | 06:11 |
| amurray | and then some more tests of the actual auth - all fail until I use the correct password - https://pastebin.ubuntu.com/p/6Xq4Bn2sBm/ | 06:12 |
| kees | hah. I'm not encouraged by seeing the most recent build of libapache2-mod-authn-sasl installed on my system: | 06:25 |
| kees | libapache2-mod-authn-sasl (1.2-2build1) trusty; urgency=medium | 06:26 |
| kees | * No-op rebuild to resync with Apache 2.4. | 06:26 |
| kees | -- Kees Cook <kees@ubuntu.com> Thu, 04 Dec 2014 23:11:42 -0800 | 06:26 |
| kees | which is not in the archive. ;) | 06:26 |
| kees | how am I still the only person on the planet using apache sasl auth? don't other people want to authenticate apache things against PAM? | 06:44 |
| kees | hm, but it's not exclusively sasl auth | 06:59 |
| amurray | ah SASL.. sorry I missed that bit earlier... was just testing normal basic auth.. | 06:59 |
| kees | amurray: so, file is broken for me too. what's the config you used? | 07:06 |
| kees | I'm really puzzled | 07:06 |
| amurray | I did a very simple test - https://pastebin.ubuntu.com/p/j7nTjsnJNp/ - based off of the upstream docs - https://cwiki.apache.org/confluence/display/HTTPD/PasswordBasicAuth | 07:08 |
| amurray | kees: I gotta run soon but will check scrollback later - let me know if you find any more clues, otherwise I'll keep investigating tomorrow (unless someone else gets there before me) | 07:10 |
| kees | amurray: thanks! I assume this is a problem of my own making, but I've not touched this machine except for updates. so I'm puzzled. | 07:12 |
| kees | weirdly, this prompts: https://www.outflux.net/osu/devops/secret but this doesn't: https://www.outflux.net/cacti/ | 07:12 |
| kees | I'll continue to narrow | 07:12 |
| amurray | kees: ok but I would still like to understand it myself so if you figure it out, let me know :) | 07:13 |
| kees | amurray: new progress, no less confusing, all the auth directives I have in <Directory> are ignored, but work in <Location>. Your examples use <Directory> though... | 07:36 |
| kees | I feel like I'm going crazy. I'm slowly removing various conflicts (I had a mix of old and new style authnz configs). I've converted everything to "Require ..." syntax -- still broken. | 08:56 |
| kees | but it's got to be something I broke because reverting apache all the way back to 2.4.29-1ubuntu4 doesn't fix it. | 08:56 |
| kees | amurray: finally found it. | 09:42 |
| kees | My own foot-gun, I think I made this change and maybe never restarted apache. :P | 09:42 |
| kees | # Disable CONNECT since it makes it look like mod_proxy is enabled. | 09:42 |
| kees | <Location /> | 09:42 |
| kees | <Limit CONNECT> | 09:42 |
| kees | Require all denied | 09:42 |
| kees | </Limit> | 09:42 |
| kees | </Location> | 09:42 |
| kees | this was in my conf-enabled/security.conf and did NOT have the expected results. | 09:43 |
| kees | apologies for the alarm, and thank you for checking. I really felt like I was losing my mind :P | 10:01 |
| amurray | hehe am glad you got to the bottom of it kees | 23:01 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!