You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Daniel Kahn Gillmor <dk...@fifthhorseman.net> on 2014/02/17 22:09:35 UTC

how to use authn_provider for password-less authentication within a module ?

Hi, i'm trying to revive mod_gnutls and bring it up to date with current
apache module practices, and i'd like to use apache 2.4's mod_auth
framework for user authentication via client-side certificates.  i'm
limiting the scope of this question to authentication because i do not
have a good use case for mod_gnutls for authorization at this point.

It seems like mod_gnutls should use:

 ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, …)

but it's not clear how it should be done.

In particular, the authn_provider struct doesn't seem well-suited to
non-password-based authentication mechanisms.  Should I avoid that part
of the framework altogether, not call ap_register_auth_provider at all,
and just manually set r->user via ap_hook_check_authn(), or should I be
thinking about this a different way?

Looking at the codebase, it looks to me like the authn_provider makes
some basic assumptions that an authentication provider will verify a
username and a password against some source.  This doesn't make sense in
the context of client-certificate-based authentication.  There are other
contexts in which a module could provide authentication (verifying a
given identity, or associating an identity with a given request) without
doing the sort of password authentication that the authn_provider struct
seems to assume.

include/mod_auth.h has:

------------------
typedef enum {
    AUTH_DENIED,
    AUTH_GRANTED,
    AUTH_USER_FOUND,
    AUTH_USER_NOT_FOUND,
    AUTH_GENERAL_ERROR
} authn_status;

/*  [...] */

typedef struct {
    /* Given a username and password, expected to return AUTH_GRANTED
     * if we can validate this user/password combination.
     */
    authn_status (*check_password)(request_rec *r, const char *user,
                                   const char *password);

    /* Given a user and realm, expected to return AUTH_USER_FOUND if we
     * can find a md5 hash of 'user:realm:password'
     */
    authn_status (*get_realm_hash)(request_rec *r, const char *user,
                                   const char *realm, char **rethash);
} authn_provider;
------------------

Any recommendations for how to best think about password-less
AUTHN_PROVIDER_GROUPs, or pointers to documentation that should clear it
up would be welcome.

Regards,

             --dkg

Re: how to use authn_provider for password-less authentication within a module ?

Posted by Eric Covener <co...@gmail.com>.

> In particular, the authn_provider struct doesn't seem well-suited to
> non-password-based authentication mechanisms.  Should I avoid that part
> of the framework altogether, not call ap_register_auth_provider at all,
> and just manually set r->user via ap_hook_check_authn(), or should I be
> thinking about this a different way?
>

That is the conclusion I came to for a similar mod.  I use an
alternate proprietary SSL module and do not like fakebasic or
SSLUsername:

https://github.com/covener/apache-modules/blob/master/mod_authn_cert.c

This relies on ssl_var_lookup via the expression parser. Hopefully
mod_gnutls implements these ssl optional functions.