forked from phokz/mod-auth-external
-
Notifications
You must be signed in to change notification settings - Fork 0
Links
Micah Andersen edited this page Dec 1, 2017
·
1 revision
Here are some relevant links. See also the list of available external authenticators:
-
Apache HTTP Server. Can't run
mod_auth_anythingwithout it.
-
pwauth external authenticator. Used with
mod_auth*_externalfor authenticating out of a unix password database or via PAM.
- mod_auth_shadow, by Bruce Duggan, appears to be a re-implementation of the same basic concept for authenticating out of shadow password file. I haven't checked it out enough to decide if it has any advantages over using
pwauthwithmod_auth_external. On first inspection it appears to be slightly less portable and paranoid.
-
mod_auth_pipe is Alvaro Gamez Machado's development from
mod_auth_shadow, allowing it to run arbitrary authenticators. The result ends up doing pretty much the same thing as 'mod_auth_external'.
-
mod_auth_script looks like it can be used to perform similar functions to
mod_auth_external. It runs the authenticator by generating a sub-request to a CGI program. I haven't analyzed this approach, but it has obvious advantages in that the authenticator programs are just normal CGIs.
-
Modification of mod-auth-external to enable authentication caching. This is a branch of mod_authnz_external 3.2.5 modified to do authentication caching in module. It caches the username and IP address only, so until the timeout, further requests with the same IP address and username will be automatically accepted without running the external authenticator. I find it worrisome that those authentication requests will be accepted even if the password is not the same. At least that has the upside of not creating a less secure replica of your password database like mod_authn_socache sometimes does, but I can't say I'm very happy about it. Note also that the cache is not in shared memory, so that each Apache process maintains its own cache, though it would still give a substantial performance boost. I'm inclined to think mod_authn_socache will be a better solution, when available, but I'm not entirely happy with either.
-
PAM. Portable Authentication Modules are libraries that have a common interface and can be linked to a program to do authentication out of different databases. Linux, FreeBSD and Solaris support PAM. OpenBSD does not.
If you want to authenticate from a PAM module, but the user your httpd runs as does not have the necessary access, then thepwauthexternal authenticator can be run frommod_auth*_externalto do the PAM authentication.
The list of PAM modules includes authenticators for Kerberos, radius, unix password or shadow files, SMB, various SQL databases, and just about anything else imaginable.
-
mod_auth_pam. If you want to use a PAM module to authenticate, and whatever user Apache runs as has the necessary access to do the check, then you don't need an external authenticator, and you should probably use this module instead of
mod_auth*_externalandpwauth. There is such a thing as mod_auth_pam2, which is supposed to work with Apache2.
-
mod_auth_any. This seems to be similar in function to
mod_auth*_external. It seems very sparsely documented at this stage, but it from looking at the source code it seems to pass the login/password to the external authenticator on the command line, which doesn't seem very secure since they'd be trivially visible to anyone doing a 'ps'.
-
Apache Module Registry. A good place to find apache modules.
-
checkpassword-imap. An IMAP authenticator written in Python for mod_auth_external that caches credentials for faster performance and so that you don't run up against rate limits on the IMAP server.
-
BlueQuartz Authentication Script seems to be an external authentication script for PAM written in Perl, similar to pwauth. Seems to have some good security features, but I wasn't able to figure out how to get the source code.
-
Jonathan Weiss's blog entry describing how to install mod_authnz_external and pwauth on FreeBSD. Might be a useful reference.
- Gatis Špats describes using mod_auth_external 2.2 to authenticate from a MS SQL 2000 server and gives source code for a Javascript authenticator on HowToForge. The installation instructions are a bit obsolete, but the Java authenticator would likely work as well as ever.
- Someone posted
mod_authnz_externalandpwauthinstallation instructions on the Gentoo Wiki. This includes an incorrect statement that there is a bug inpwauthwhich can be fixed by changing agetuid()call to ageteuid()call. Making that change actually disables one ofpwauth's security features and should not be done.
- Instructions on Moin with WSGI Apache HTTPAuth how to set up the MoinMoin Wiki Engine with mod_authnz_external including a sample authenticator writting in ruby.
- Notes on configuring authnz_external and pwauth which looks like it might be for Redhat Linux.
- List of Available Authenticators
- Historical License and Version Notes
- A Brief Explanation of the Apache Authn/z Architecture
- Links to Related Software
- Ideas for Future Improvements to Mod_authnz_external