You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Daniel Kahn Gillmor <dk...@fifthhorseman.net> on 2014/02/17 22:09:35 UTC
how to use authn_provider for password-less authentication within a module ?
Hi, i'm trying to revive mod_gnutls and bring it up to date with current
apache module practices, and i'd like to use apache 2.4's mod_auth
framework for user authentication via client-side certificates. i'm
limiting the scope of this question to authentication because i do not
have a good use case for mod_gnutls for authorization at this point.
It seems like mod_gnutls should use:
ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, …)
but it's not clear how it should be done.
In particular, the authn_provider struct doesn't seem well-suited to
non-password-based authentication mechanisms. Should I avoid that part
of the framework altogether, not call ap_register_auth_provider at all,
and just manually set r->user via ap_hook_check_authn(), or should I be
thinking about this a different way?
Looking at the codebase, it looks to me like the authn_provider makes
some basic assumptions that an authentication provider will verify a
username and a password against some source. This doesn't make sense in
the context of client-certificate-based authentication. There are other
contexts in which a module could provide authentication (verifying a
given identity, or associating an identity with a given request) without
doing the sort of password authentication that the authn_provider struct
seems to assume.
include/mod_auth.h has:
------------------
typedef enum {
AUTH_DENIED,
AUTH_GRANTED,
AUTH_USER_FOUND,
AUTH_USER_NOT_FOUND,
AUTH_GENERAL_ERROR
} authn_status;
/* [...] */
typedef struct {
/* Given a username and password, expected to return AUTH_GRANTED
* if we can validate this user/password combination.
*/
authn_status (*check_password)(request_rec *r, const char *user,
const char *password);
/* Given a user and realm, expected to return AUTH_USER_FOUND if we
* can find a md5 hash of 'user:realm:password'
*/
authn_status (*get_realm_hash)(request_rec *r, const char *user,
const char *realm, char **rethash);
} authn_provider;
------------------
Any recommendations for how to best think about password-less
AUTHN_PROVIDER_GROUPs, or pointers to documentation that should clear it
up would be welcome.
Regards,
--dkg
Re: how to use authn_provider for password-less authentication within
a module ?
Posted by Eric Covener <co...@gmail.com>.
> In particular, the authn_provider struct doesn't seem well-suited to
> non-password-based authentication mechanisms. Should I avoid that part
> of the framework altogether, not call ap_register_auth_provider at all,
> and just manually set r->user via ap_hook_check_authn(), or should I be
> thinking about this a different way?
>
That is the conclusion I came to for a similar mod. I use an
alternate proprietary SSL module and do not like fakebasic or
SSLUsername:
https://github.com/covener/apache-modules/blob/master/mod_authn_cert.c
This relies on ssl_var_lookup via the expression parser. Hopefully
mod_gnutls implements these ssl optional functions.