May 25, 2006...8:55 am

Password protecting MediaWiki with mod_auth_mysql

MediaWiki is the powerful software on which Wikipedia and many other sites are built. It does not, however, come with the option to password protect pages from being viewed. (It can password protect pages from being edited.)

If you need to setup a private, members-only wiki for internal use, here is how you can do it with MediaWiki software and the Apache server extension mod_auth_mysql:

1. Install MediaWiki as usual. Create a user account for yourself.

2. Add the following line to your LocalSettings.php file, located in the root of your MediaWiki installation. This will cause MediaWiki to use a simple MD5 hash for user passwords in the database, instead of the more complicated “salted hash hash” that it normally uses.

$wgPasswordSalt = false;

3. Activate mod_auth_mysql in Apache. This is usually done with a LoadModule line in your Apache configuration file (httpd.conf), provided the module is available. (If not, you may need to compile or download the module.)

LoadModule mysql_auth_module libexec/apache2/mod_auth_mysql.so

4. Create a new MySQL user that has SELECT access to the “user_name” and “user_password” fields in the “user” table of your MediaWiki installation. Apache will use this MySQL user for connecting to the MediaWiki database.

5. Configure mod_auth_mysql to use the MediaWiki user table for authentication by placing the follow directives in your Apache configuration file:



AuthName “This wiki is password protected (make sure the first letter of the username is Uppercase)”
AuthType Basic
require valid-user
AuthMySQLEnable On
AuthMySQLHost localhost
AuthMySQLUser unprivilegeduser
AuthMySQLPassword thesecretpassword
AuthMySQLDB mediawikidatabase
AuthMySQLUserTable user
AuthMySQLNameField user_name
AuthMySQLPasswordField user_password
AuthMySQLPwEncryption md5
AuthMySQLAuthoritative On

6. Restart Apache.

Your installation of MediaWiki should now be password-protected, but your username and password will let you in. This protects the entire wiki; no one will even know that MediaWiki is present until they login. To give other people access, you can either create user accounts for them, or you can create a guest account that they can use until they sign themselves up.

P.S. Thanks to Gary Thornock for helping me with the details of installing mod_auth_mysql on FreeBSD.

UPDATE (2008-09-11):
The latest version of MediaWiki (version 1.13) uses a new password format which is incompatible with mod_auth_mysql. It prepends “:A:” to each MD5 hash. Here is a workaround:

1. Create a MySQL view that mirrors the username and password, minus the prefix:
CREATE VIEW user_view AS SELECT user_id, user_name, substring_index(user_password, ':', -1) AS user_password FROM user;
2. Configure mod_auth_mysql to use user_view instead of user as the lookup table.

If you want to be notified the next time I write something, sign up for email alerts or subscribe to the RSS feed. Thanks for reading.

27 Comments

Filed under Main, MediaWiki, MySQL, PHP, Tech

27 Comments

  • Gary Thornock's Weblog » MediaWiki and mod_auth_mysql
    May 25, 2006 at 10:49 am
    [...] Richard Miller has a post explaining how to set up a private instance of MediaWiki using mod_auth_mysql. I've toyed a little with the idea of setting up a private wiki for family members, and this looks like exactly the way to do it. MediaWiki, mod auth mysql, Open Source   [...]
  • The Lone Sysadmin » links for 2006-06-01
    June 1, 2006 at 12:21 am
    [...] Richard K Miller dot coooooooooom » Password protecting MediaWiki with mod_auth_mysql (tags: wiki password sysadmin) You can also bookmark this on del.icio.us or check the cosmos [...]
  • scragz
    June 21, 2006 at 12:49 am
    My install on CentOS required the following changes:

    AuthName "This wiki is password protected (make sure the first letter of the username is Uppercase)"
    AuthType Basic
    require valid-user
    ##AuthMySQLEnable On # this directive didn't exist
    AuthMySQLHost localhost
    AuthMySQLUser imotion_wiki
    AuthMySQLPassword 400z13
    AuthMySQLDB imotion_wiki
    AuthMySQLUserTable user
    AuthMySQLNameField user_name
    AuthMySQLPasswordField user_password
    ##AuthMySQLPwEncryption md5
    AuthMySQLMD5Passwords On # had to add this instead of the above
    AuthMySQLAuthoritative On

  • scragz
    June 21, 2006 at 1:00 am
    Also, if you already have users setup, you need to change their passwords after you do the “$wgPasswordSalt = false;” bit. I only had two users who I knew the passwords for, so I just retyped them into phpMyAdmin and put the MD5 function on.
  • Richard K. Miller
    June 21, 2006 at 1:11 am
    scragz: Thanks for your comments. I’m glad to know what happened when you had existing customers.
  • Greg
    October 7, 2006 at 10:50 am
    This is VERY useful thank you!
    Any ideas on how to password protect only SOME wikimedia pages and not the ENTIRE thing?
    Alternatively can you run multiple wikimedia instances on one system and password protect only one of them?
  • Richard K. Miller
    October 7, 2006 at 5:20 pm
    Greg, I don’t know of any way to protect only some of the pages with this method, but you could definitely install multiple instances of MediaWiki and protect one but not another.
  • leo
    December 29, 2006 at 8:43 am
    Thanks for this article! I have just installed the wiki with mod_auth_sql as described above. But I have just one more question. Is it correct that I have to login twice? After the apache login I am an anonymous user in the context of the wiki. So I have to login again that the wiki knows who I am? Is that right?
  • Richard K Miller
    December 29, 2006 at 11:27 am
    Hi leo, you are correct about having to login twice. In theory you could get MediaWiki to recognize that you’re already logged in to Apache, but I haven’t ventured there!
  • Dawa
    February 2, 2007 at 10:47 pm
    though i have installed mediawiki on my webserver in my LAN. Since i’m new to all the apahce, mysql and wiki. So could you please tell me how do i manually install apache module called “mod_auth_mysql-3.00.tar.gz” that i have downloaded for installing “LoadModule mysql_auth_module libexec/apache2/mod_auth_mysql.so”

    thanks a lot in advance.

  • Richard K Miller
    February 5, 2007 at 9:26 am
    @Dawa
    You’ll need to uncompress the .tar.gz file with tar -xzf. If it produces an .so file then you can place it with the others .so files and then include it in your Apache configuration file. If it produces source, then you’ll need to compile it with “sudo make install”.
  • Robert Matthews
    March 14, 2007 at 9:12 pm
    Richard…

    Very cool. First thing I looked for when trying to password protect a wiki at home. Very well done. And to think you are another Utah County-ite, mac lover and fellow member.

    -Robert

  • Richard K Miller
    March 14, 2007 at 11:39 pm
    @Robert

    Thanks for stopping by! I’m glad you found the post. Gary Thornock was the other Utahn that helped craft this solution.

  • Noah Blumenfeld
    March 21, 2007 at 9:00 am
    Just wanted to say that this’s very useful :) I’ve used the mysql module to password protect other pages. Just wanted to add something to keep in mind.

    Since mod_auth_mysql is being used with apache in basic authentication mode, as with any other basic apache auth scheme, it will request your username/password every time you goto the page. Most modern browsers cache username/password for that reason.

    So keep in mind that if you use this method (as opposed to php sessions or so), if the page is not closed (and/or cache is not purged, depending on browser) - the browser will let anybody else access that page as long as the username/password are in the cache.

    So if you are using your wiki from a public access computer, keep that in mind. :)

    I’m currently building a mission critical system and had to work around this problem.

  • Tecteun
    April 6, 2007 at 8:24 am
    I got a lot of nullpointer errors in my /var/log/httpd/error_log, i fixed it by changing the order of Auth parameters :

    AuthName “This wiki is password protected (make sure the first letter \
    of the username is Uppercase)”
    AuthGroupFile /dev/null
    AuthUserFile /dev/null
    AuthMySQLEnable On
    AuthMySQLHost localhost
    AuthMySQLUser wikiuser
    AuthMySQLPassword wikipassword
    AuthMySQLDB wunderwikidb
    AuthMySQLUserTable user
    #AuthMySQLUserCondition “users.status = 1″
    AuthMySQLNameField user_name
    AuthMySQLPasswordField user_password
    AuthMySQLNoPasswd Off
    AuthMySQLPwEncryption md5
    AuthMySQLAuthoritative On
    require valid-user

    Now its working :)
    hope someone can use this info

  • Tecteun
    April 6, 2007 at 8:28 am
    this was the specific error i got:
    [Fri Apr 06 12:33:18 2007] [error] [client 192.168.1.52]
    (9)Bad file descriptor: Could not open password file: (null)

    (sorry, this should be in my previous post, if there was an edit option)

  • NetMusician Labs » Blog Archive » Password protect your Mediawiki wikis
    May 18, 2007 at 8:58 am
    [...] found the following guide explaining how Mediawiki wikis can be password protected with basic http/htaccess authentication. [...]
  • Rob Velseboer
    May 24, 2007 at 2:50 am
    Actually, you can protect Mediawiki against both reading and writing by anonymous users. Put these lines in your LocalSettings.php file to do so:

    $wgGroupPermissions['*']['edit'] = false;
    $wgGroupPermissions['*']['read'] = false;

    Now, anonymous users cannot read any pages, except for the ones you explicitly whitelist, like this:

    $wgWhitelistRead = array( “Special:Userlogin”, “-”, “MediaWiki:Monobook.css”, “Main_Page” );

    That line is probably already in your LocalSettings.php, just add pages you want anonymous users to see.
    If you don’t even want them to see your wiki front page, remove “Main_Page” from this list.
    Visitors will now be asked to log in immediately, even before they get to see your front page.

    Unfortunately, by default Mediawiki lets users create their own accounts and this would mean that anonymous visitors can just create an account and have all the privileges you didn’t want them to have.
    Protect your wiki against account creation by adding this line to LocalSettings.php:

    $wgGroupPermissions['*']['createaccount'] = false;

    Be aware that now legitimate new users cannot create their own accounts either, (but that problem also existed with the mod_auth_mysql approach).

    There is a way for wiki admin users to create new accounts though:

    * Go to the Special:Userlogin page (after loging in as an admin)
    * Click “Create an account”
    * Fill in the form, uncheck the box “Remember my login on this computer”
    * Click “by e-mail”

    The new user gets an e-mail with a generated password (I found out the password I typed in the form was discarded)
    After logging in for the first time, the new user is asked to choose a new password.

    Hope this is useful for people who don’t have access to the Apache configuration on their site, and also for people who are annoyed by having to log in twice.

  • Nathan
    February 19, 2008 at 1:40 pm
    I was getting the same ” Could not open password file: (null)” error from Richard’s example. I tried the format that Tecteun suggests, but that didn’t work either. I did some googling and found this - https://secure-support.novell.com/KanisaPlatform/Publishing/652/3810088_f.SAL_Public.html
    Which says that it’s an issue of basic auth, and suggests adding the line “AuthBasicAuthoritative Off” so I added that to Richard’s example and that made things go. I hope that is of benefit to others.

    It may benefit others to mention the version used. FreeBSD 6.3, Mediawiki 1.11.1, apache-2.2.8, mod_auth_mysql_another-3.0.0_2 (from the ports collection).

    This configuration documentation for mod_auth_mysql might also help people : http://modauthmysql.sourceforge.net/CONFIGURE

  • nformation » Securing Mediawiki
    February 19, 2008 at 2:32 pm
    [...] generally followed Richard K Miller’s guide. I had to overcome a couple obstacles, but now it’s up and running. I think that’s way [...]
  • » What goes around, comes around Richard K Miller
    February 20, 2008 at 11:57 pm
    [...] but this week I experienced some karma-like effects. Two years ago for work, I developed code to protect wiki websites. Then I published it on my [...]
  • Richard K Miller
    February 21, 2008 at 8:07 am
    Nathan: Thank you for your comment. I had just upgraded to Apache 2.2 (also running FreeBSD 6.2, MediaWiki 1.11, and mod_auth_mysql_another-3.0.0) so your insight was just what I needed.
  • Phil Ilten
    March 4, 2008 at 4:59 pm
    Just a note, using the “Basic” type of authentication transmits all passwords as plaintext and makes this method of securing easily compromised using packet sniffing. I suggest that if you want to use this method that you secure your wiki using SSL so that all info from login and the wiki is encrypted and cannot be sniffed.
  • Michael
    March 11, 2008 at 5:10 pm
    Quote-
    You’ll need to uncompress the .tar.gz file with tar -xzf. If it produces an .so file then you can place it with the others .so files and then include it in your Apache configuration file. If it produces source, then you’ll need to compile it with “sudo make install”.

    I’m a giant among midgets at my job, where I’ve been setting up an intranet (WinXP, Apache 2+PHP, MediaWiki, MySql, FreeBSD).

    Unfortunately, I’ve been having trouble extending Apache by installing modules like mod_auth_mysql, mod_dav, etc. I don’t know how to uncompress a tar.gz with -xsf under windows. Is there an application that does this? I don’t know how to get/make .so plug in files.

  • Péter
    March 28, 2008 at 5:47 am
    Rob - thanks for the advice! I don’t have access to the apache configuration on my server, so it was much simpler to just hide the content from anonymous users. Works great.
  • Gregg
    October 14, 2008 at 7:52 am
    Thanks for this posting. I set this up a few years back using MediaWiki version 1.7 at the time. I had a need for the same setup at a new job and ran into a road block which looked like :A: before each password. This post saved me time fiddling for a work around. Works great on Debian Etch with latest MediaWiki release.
  • Paul
    November 21, 2008 at 11:49 am
    @Rob Velseboer
    Your instructions for modifying LocalSettings.php to hide pages, require login, etc were PERFECT. I didn’t have to go modifying my db, apache which made it so much easier.
    One thing to note is that the line that contains your $wgWhitelistRead in your example has “smart quotes” and if you copy/paste it into your LocalSettings.php, PHP will die. Just change them to normal quotes and you’ll be fine.

Leave a Reply