mod_auth_shadow fails to authenticate at random times
Brought to you by:
bduggan
Menu
▾
▴
#5 mod_auth_shadow fails to authenticate at random times
Hi. I have a strange bug with mod_auth_shadow.
I protect a vhost with mod_auth_shadow, it works most of the day, but at random times throughout the day, users auth requests fail most of the time.
I have about 20 users accessing the protected path, but sometimes mod_auth_shadow will prompt and re-prompt for the user's password credentials. Sometimes a user is let right in after typing their username/password, they click through many pages without problems, then occasionally they get a 401 code from Apache and are re-prompted for the username/password again. Sometimes they re-enter the username/password and it works for a brief time, other times it keeps re-prompting 10 or 20 times before letting them in again.
Since a 401/Auth method does not store any values in a cookie or anything, and since the already authenticated username/password is sent by the browser on every request to that page, that means sometimes mod_auth_shadow is failing to authenticate the user at random times for no apparent reason.
For example, I run a test:
#!/usr/bin/perl
for ($i=0; $i<=2000; $i++) {
print "$i\n";
system("GET -C jontest:jontest https://myhost/ | grep 401");
}
Sometimes during the day, this script runs without ever seeing a 401 page. Other times, it gives a 401 page about 50% to 80% of the time. Yes, with the same username/password sent to the webserver, mod_auth_shadow may fail sometimes and succeed other times. During the problem times, there is no apparent issue with the machine, such as heavy load, low memory, and no one is changing the /etc/shadow file.
The problem times are very random, like the issue occurred at 5am-8am today and at 2pm-5pm yesterday, but was fine all other times.
Here is the .htaccess file protecting that docroot:
<Limit GET POST PUT>
AuthName myhost
AuthShadow on
AuthType Basic
require valid-user
</Limit>
The Apache version is Apache/2.0.53 32-bit on CentOS 4.3.
The compiled validate program seems to work fine, even during the trouble times. For example, it gives a consistent answer to my commandline password requests 100% of the time:
> echo "jontest\njontest" | /usr/local/sbin/validate && echo OK
OK
> echo "jontest\nbadpassword" | /usr/local/sbin/validate && echo OK
/usr/local/sbin/validate: User jontest: authentication failure
Any thoughts what could be happening with mod_auth_shadow? Could the code within mod_auth_shadow have some kind of race condition which causes a problem at certain times or under certain conditions?
Logged In: YES
user_id=2039710
Originator: YES
One thing I forgot to mention. This is mod_auth_shadow version 2.2.