[03:41] uuuuh, my apache's BasicAuth directives just all failed open. Cool update. [04:22] kees: eeek... I just got back from a week of leave so am playing catchup - what update are you referring to (or do you have an inkling what you just updated that could have caused this?) [04:40] amurray: I haven't managed to bisect updates yet, but I assume apache updates. (there have been 3 in a week or so.) I just noticed all my sasl-backed basicauth isn't requiring any auth. [04:40] I shut down my server until I'm back home to figure out what's happening [04:43] kees: what Ubuntu release(s)? [05:41] kees: I can't reproduce on focal - will try other releases too though [05:57] amurray: I'm on bionic. this poor server is on bionic. I'm trying stuff now... [05:59] ok no worries - I'm trying to reproduce there as well now too [06:04] welp, still broken in 2.4.29-1ubuntu4.16 so I'm going to assume something broke something else... [06:04] I'll keep digging. [06:05] I've just never seen BasicAuth fail _open_ before. [06:06] yep... it doesn't get much face-palmier (is that even a word) than that.. [06:11] I can't reproduce on bionic either - my test is basically: https://pastebin.ubuntu.com/p/j7nTjsnJNp/ [06:12] and then some more tests of the actual auth - all fail until I use the correct password - https://pastebin.ubuntu.com/p/6Xq4Bn2sBm/ [06:25] hah. I'm not encouraged by seeing the most recent build of libapache2-mod-authn-sasl installed on my system: [06:26] libapache2-mod-authn-sasl (1.2-2build1) trusty; urgency=medium [06:26] * No-op rebuild to resync with Apache 2.4. [06:26] -- Kees Cook Thu, 04 Dec 2014 23:11:42 -0800 [06:26] which is not in the archive. ;) [06:44] how am I still the only person on the planet using apache sasl auth? don't other people want to authenticate apache things against PAM? [06:59] hm, but it's not exclusively sasl auth [06:59] ah SASL.. sorry I missed that bit earlier... was just testing normal basic auth.. [07:06] amurray: so, file is broken for me too. what's the config you used? [07:06] I'm really puzzled [07:08] I did a very simple test - https://pastebin.ubuntu.com/p/j7nTjsnJNp/ - based off of the upstream docs - https://cwiki.apache.org/confluence/display/HTTPD/PasswordBasicAuth [07:10] kees: I gotta run soon but will check scrollback later - let me know if you find any more clues, otherwise I'll keep investigating tomorrow (unless someone else gets there before me) [07:12] amurray: thanks! I assume this is a problem of my own making, but I've not touched this machine except for updates. so I'm puzzled. [07:12] weirdly, this prompts: https://www.outflux.net/osu/devops/secret but this doesn't: https://www.outflux.net/cacti/ [07:12] I'll continue to narrow [07:13] kees: ok but I would still like to understand it myself so if you figure it out, let me know :) [07:36] amurray: new progress, no less confusing, all the auth directives I have in are ignored, but work in . Your examples use though... [08:56] I feel like I'm going crazy. I'm slowly removing various conflicts (I had a mix of old and new style authnz configs). I've converted everything to "Require ..." syntax -- still broken. [08:56] but it's got to be something I broke because reverting apache all the way back to 2.4.29-1ubuntu4 doesn't fix it. [09:42] amurray: finally found it. [09:42] My own foot-gun, I think I made this change and maybe never restarted apache. :P [09:42] # Disable CONNECT since it makes it look like mod_proxy is enabled. [09:42] [09:42] [09:42] Require all denied [09:42] [09:42] [09:43] this was in my conf-enabled/security.conf and did NOT have the expected results. [10:01] apologies for the alarm, and thank you for checking. I really felt like I was losing my mind :P [23:01] hehe am glad you got to the bottom of it kees