mod_auth_mysql with AES encryption (on Fedora 14 x64)
subscribe
Linux
07 Jan 2012

mod_auth_mysql with AES encryption (on Fedora 14 x64)

Tags: , , , , , , ,
Posted in Linux | Leave a comment
0

I needed to restrict access to my local development server after discovering Google had indexed a website still in development without being asked to index it. I can’t imagine how it knew about my site, unless it queried the dns zone to discover all A records.

Anyway, I installed mod_auth_mysql using Yum and configured it to use AES encryption by adding the line

    AuthMySQLPwEncryption aes

to my .htaccess file. The full config is:

AuthName "Authentication required"
AuthType Basic
AuthMySQLHost localhost
AuthMySQLDB ????????   characters are a must!
require valid-user

However, upon restarting Apache, I got the error: “mysql invalid encryption method aes“… mmm…. this didn’t make sense, so I began googling around and checking the documentation only to discover that the default RPM comes without aes encryption support.

To enable aes encryption I would have to compile from source, which is generally an easy task on Fedora. So do this:

  1. download the source rpm (mod_auth_mysql-3.0.0-12.fc14.src.rpm)
  2. install with rpm -ivh mod_auth_mysql-3.0.0-12.fc14.src.rpm
  3. change to SPECS directory (for me it’s /root/rpmbuild/SPECS)
  4. rpmbuild -bb mod_auth_mysql.spec

This should build the rpm but for me it failed, with “mod_auth_mysql.c:275:22: fatal error: my_aes.h: No such file or directory“. Mmm… quite surprising really, but even the documentation mentions this file may not be available by default. Never mind, just download the mysql source rpm (mysql-5.1.58-1.fc14.src.rpm in my case), install using rpm -ivh mysql-5.1.58-1.fc14.src.rpm, look in the rpmbuild/SOURCES directory for the mysql tarball, open it and copy my_aes.h from the include dir to /usr/include/mysql.

Now try the rebuild again, it might fail with “/usr/include/mysql/my_aes.h:20:22: fatal error: rijndael.h: No such file or directory“. Do the same as in previous step, by copying rinjdael.h from the mysql tarball to /usr/include/mysql. Rebuild.

This should work but we’re not done, as AES encryption is still  not enabled. To enable:

  1. Edit mod_auth_mysql.spec
  2. modify the build line: %{_sbindir}/apxs -I%{_includedir}/mysql -Wc,-Wall -Wc,-Werror -c %{name}.c -L%{_libdir}/mysql -lmysqlclient  by adding -DAES macro as shown %{_sbindir}/apxs -I%{_includedir}/mysql -Wc,-Wall -Wc,-Werror -DAES  -c %{name}.c -L%{_libdir}/mysql -lmysqlclient
  3. Rebuild

This should fail again with:

In file included from /usr/include/mysql/my_config.h:14:0,
                 from /usr/include/mysql/my_global.h:84,
                 from mod_auth_mysql.c:267:
/usr/include/mysql/my_config_x86_64.h:1167:0: error: "PACKAGE_NAME" redefined
/usr/include/httpd/ap_config_auto.h:201:0: note: this is the location of the previous definition
/usr/include/mysql/my_config_x86_64.h:1170:0: error: "PACKAGE_STRING" redefined
/usr/include/httpd/ap_config_auto.h:204:0: note: this is the location of the previous definition
/usr/include/mysql/my_config_x86_64.h:1173:0: error: "PACKAGE_TARNAME" redefined
/usr/include/httpd/ap_config_auto.h:207:0: note: this is the location of the previous definition
/usr/include/mysql/my_config_x86_64.h:1179:0: error: "PACKAGE_VERSION" redefined
/usr/include/httpd/ap_config_auto.h:213:0: note: this is the location of the previous definition
apxs:Error: Command failed with rc=65536

Fix the above by:

  1. Goto to the rpmbuild/SOURCES directory
  2. Unarchive mod_auth_mysql-3.0.0.tar.gz somewhere like /home/mod_auth_mysql-3.0.0
  3. Edit mod_auth_mysql.c
  4. Modify
#if _AES  /* Only needed if AES encryption desired */
  #include 
#endif

with

#if _AES  /* Only needed if AES encryption desired */
  #undef PACKAGE_NAME
  #undef PACKAGE_STRING
  #undef PACKAGE_TARNAME
  #undef PACKAGE_VERSION
  #include 
#endif
5. Save the file
6. Repackage the file with tar -cf mod_auth_mysql-3.0.0.tar mod_auth_mysql-3.0.0/. and gzip mod_auth_mysql-3.0.0.tar
7. Copy the new tar.gz to rpmbuild/SOURCES directory overwriting the original
8. Rebuild

If all has gone well, the build will succeed and you will have new RPMS in rpmbuild/RPMS/x86_64. Re-install the new rpm using rpm -Uvh mod_auth_mysql-3.0.0-12.fc14.x86_64.rpm –force. Now you can restart Apache.

You would think it will now work, but sadly Apache will refuse to start with the error:
Starting httpd: httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 7 of /etc/httpd/conf.d/auth_mysql.conf: Cannot load /etc/httpd/modules/mod_auth_mysql.so into server: /etc/httpd/modules/mod_auth_mysql.so: undefined symbol: my_aes_encrypt

Very strange indeed. This means mod_auth_mysql.so that is loaded by Apache, does not know about the MySQL function my_aes_encrypt. This function is exported in the mysql library, and I have no idea why this is not working, other than perhaps the compile method is wrong, i.e. maybe the module should be built using static linking.

In any case, to fix do this:

  1. goto /etc/httpd/conf.d
  2. edit auth_mysql.conf
  3. insert the line LoadFile   /usr/lib64/mysql/libmysqld.so  before the line LoadModule mysql_auth_module modules/mod_auth_mysql.so
  4. restart apache

This should do it. Apache should restart successfully, and your module should function using AES encryption. You can check for problems in the apache error log. Make sure you encrypt the passwords in mysql using the same salt field you used in the configuration, i.e. UPDATE [authtable] SET [password column] = AES_ENCRYPT(‘my password’, ‘salt’) WHERE [username column] = ‘someuser’.

Good luck.

Leave a Reply

You must be logged in to post a comment.

[curs_bnr EUR USD GBP nocss]