You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Graham Leggett <mi...@sharp.fm> on 2005/01/27 11:40:56 UTC

FakeBasicAuth - a howto anywhere?

Hi all,

I have been trying to get client certificates to work (they do) with httpd
v2.1, but have run into a problem. The cert CN is not being passed to the
backend (subversion).

The FakeBasicAuth SSLOption seems to be the solution - but the
documentation only describes what FakeBasicAuth tries to achieve, but it
doesn't explain how to actually use it.

Does someone have a config example of FakeBasicAuth in action? Once I know
how, I will update the docs to be more clear.

Regards,
Graham
--

Re: FakeBasicAuth - a howto anywhere?

Posted by Graham Leggett <mi...@sharp.fm>.

Graham Leggett said:

> Read through the example

Just to clarify, that meant past tense "(I) read through the example",
rather than the command "Read through the example". Just reread the
message back to myself and it sounds way wrong :)

Regards,
Graham
--

Re: FakeBasicAuth - a howto anywhere?

Posted by Dirk-Willem van Gulik <di...@webweaving.org>.

On Thu, 27 Jan 2005, Jim Jagielski wrote:

> As you know, all FakeBasicAuth is "preload" the auth info; it still
> requires that authentication itself take place. So the way around it is
> to enable anon auth which accepts "anything" as valid. Of course, that's
> not too secure. So some sort of special purpose auth module, which is
> FakeBasicAuth awareish is required.

Right you -really- want to also have an SSLRequire in place ! or
alternatively we have a small module in the company which simply filles
out the c->user from the the SSL env() info - whcih sometimes is needed
when there is a rewrite/internal_redirect causing the Auth header to go
awol..

Dw

Re: FakeBasicAuth - a howto anywhere?

Posted by Jim Jagielski <ji...@jaguNET.com>.

On Jan 27, 2005, at 12:07 PM, Graham Leggett wrote:

> Mads Toftum said:
>
>> Simple:
>>
>> SSLOptions +FakeBasicAuth
>>
>> And then turn on basic auth as you would for plain passwords.
>> FakeBasicAuth will then act as if the user entered the certificate DN 
>> as
>> user and password as password.
>> There's an example in my mod_ssl talk from ApacheCon 2004 - see page 
>> 19
>> of http://cvs.apache.org/~mads/ac2004/MO18mod_ssl.pdf
>
> Read through the example - it requires a password file, which is 
> redundant
> (we already keep track of the user's identity via client cert and CRL, 
> we
> don't need to check again in a passwd file). Is there a way around this
> limitation?

As you know, all FakeBasicAuth is "preload" the auth
info; it still requires that authentication itself take
place. So the way around it is to enable anon auth which
accepts "anything" as valid. Of course, that's not too
secure. So some sort of special purpose auth module, which
is FakeBasicAuth awareish is required.

Re: FakeBasicAuth - a howto anywhere?

Posted by Geoffrey Young <ge...@modperlcookbook.org>.

>>I made the change, and it now works, thanks!
>>
>>Is it possible to fix mod_authn_anon? How hard is the bug to fix?
> 
> 
> Not that hard. If nobody beats me, I'm going to make it over the weekend.
> It's because conf->anyuserid is not checked in the provider when no further
> user id is configured.

I added a test for this to the perl-framework - t/ssl/fakeauth.t.  it
currently passes based on the

  Anonymous dummy *

fix you suggested, but should be easy to modify based on whatever behavior
it is supposed to have.  ping me if you need help.

--Geoff

Re: FakeBasicAuth - a howto anywhere?

Posted by André Malo <nd...@perlig.de>.

* "Graham Leggett" <mi...@sharp.fm> wrote:

> André Malo said:
> 
> >> When mod_authn_anon runs above, it sees no username,
> >
> > Ahahaha. Looking at the code again -- it could be a bug in
mod_auhn_anon.
> > Please try:
> >
> > Anonymous dummy *
> 
> I made the change, and it now works, thanks!
> 
> Is it possible to fix mod_authn_anon? How hard is the bug to fix?

Not that hard. If nobody beats me, I'm going to make it over the weekend.
It's because conf->anyuserid is not checked in the provider when no further
user id is configured.

nd

Re: FakeBasicAuth - a howto anywhere?

Posted by Graham Leggett <mi...@sharp.fm>.

André Malo said:

>> When mod_authn_anon runs above, it sees no username,
>
> Ahahaha. Looking at the code again -- it could be a bug in mod_auhn_anon.
> Please try:
>
> Anonymous dummy *

I made the change, and it now works, thanks!

Is it possible to fix mod_authn_anon? How hard is the bug to fix?

Regards,
Graham
--

Re: FakeBasicAuth - a howto anywhere?

Posted by André Malo <nd...@perlig.de>.

* Graham Leggett wrote:

> When mod_authn_anon runs above, it sees no username, 

Ahahaha. Looking at the code again -- it could be a bug in mod_auhn_anon.
Please try:

Anonymous dummy *

> and so sends a 403

401, fwiw.

nd
-- 
"Das Verhalten von Gates hatte mir bewiesen, dass ich auf ihn und seine
beiden Gefährten nicht zu zählen brauchte" -- Karl May, "Winnetou III"

Im Westen was neues: <http://pub.perlig.de/books.html#apache2>

Re: FakeBasicAuth - a howto anywhere?

Posted by Graham Leggett <mi...@sharp.fm>.

Jim Jagielski wrote:

> Any errors in the error log (info level at least), like:
> 
>    "Encountered FakeBasicAuth spoof:..."
>    "Faking HTTP Basic Auth header: ..."

There definitely weren't any messages like this, but I am not sure 
whether the debug level was high enough. Will check tomorrow when I have 
access to the machine again.

Regards,
Graham
--

Re: FakeBasicAuth - a howto anywhere?

Posted by Jim Jagielski <ji...@jaguNET.com>.

Any errors in the error log (info level at least), like:

    "Encountered FakeBasicAuth spoof:..."
    "Faking HTTP Basic Auth header: ..."

??

Re: FakeBasicAuth - a howto anywhere?

Posted by Graham Leggett <mi...@sharp.fm>.

Mads Toftum wrote:

> Just checking - do you have SSLVerifyClient require somewhere else?
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS" doesn't really add much
> (unless you've only got optional with SSLVerifyClient)

I do - in the virtual host the cert is optional, in the protected URL 
space clients get "forbidden" if no cert is available. Works really well.

In contrast, SSLVerifyCert require throws a weird client error (a 
dreaded numeric code) on Firefox when the cert was missing, and IE gave 
it's usual wordy message about some vague problem with the client cert. 
It seems in the world of browsers, "optional" is handled much better.

Regards,
Graham
--

Re: FakeBasicAuth - a howto anywhere?

Posted by Mads Toftum <ma...@toftum.dk>.

On Thu, Jan 27, 2005 at 09:28:45PM +0200, Graham Leggett wrote:
> <Location /repos>
>     DAV svn
>     SVNParentPath /var/svn
>     SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
>     SSLOptions +FakeBasicAuth +StdEnvVars
>     Options Indexes FollowSymLinks
>     Order allow,deny
>     Allow from all
>     AuthName "Subversion"
>     AuthType Basic
>     AuthBasicProvider anon
>     Anonymous "*"
>     Require valid-user
> </Location>
> 
Just checking - do you have SSLVerifyClient require somewhere else?
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS" doesn't really add much
(unless you've only got optional with SSLVerifyClient)

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

Re: FakeBasicAuth - a howto anywhere?

Posted by Graham Leggett <mi...@sharp.fm>.

Dirk-Willem van Gulik wrote:

> is this on 1.3 or 2.0 ? And what is the order of the modules ? As we're
> using this in a couple of places - or do you also have a rewrite rule ?
> (e.g. trapping / like you do for a wiki).

It's on v2.1 trunk. I've tried it mod_authn_anon followed by ssl, then 
swapped it round - made no difference.

The config looks like this:

<Location /repos>
     DAV svn
     SVNParentPath /var/svn
     SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
     SSLOptions +FakeBasicAuth +StdEnvVars
     Options Indexes FollowSymLinks
     Order allow,deny
     Allow from all
     AuthName "Subversion"
     AuthType Basic
     AuthBasicProvider anon
     Anonymous "*"
     Require valid-user
</Location>

There is no rewriting or forwarding, just the subversion module.

When mod_authn_anon runs above, it sees no username, and so sends a 403 
to the browser asking for one, causing a popup window to appear when it 
should not.

Regards,
Graham
--

Re: FakeBasicAuth - a howto anywhere?

Posted by Dirk-Willem van Gulik <di...@webweaving.org>.

On Thu, 27 Jan 2005, Graham Leggett wrote:

> I tried to use the mod_authn_anon module, but it insisted on asking the
> browser for the username (and thus a pointless login screen pops up on the
> browser), rather than reading the username as populated by FakeBasicAuth.
> It looks like FakeBasicAuth is either not doing anything, or is doing what
> it does too late in the process to be effective.

is this on 1.3 or 2.0 ? And what is the order of the modules ? As we're
using this in a couple of places - or do you also have a rewrite rule ?
(e.g. trapping / like you do for a wiki).

Dw

Re: FakeBasicAuth - a howto anywhere?

Posted by André Malo <nd...@perlig.de>.

* "Graham Leggett" <mi...@sharp.fm> wrote:

> Dirk-Willem van Gulik said:
> 
> > Yes - by adding a module or using the auth_anon module. But this really
> > should be cleaned up :-) and result in a credentials or facts listing
> > passed around with the request - rather than those easily forged headers
> > we add now internally (and the breakage when you do an internal
redirect).
> 
> I tried to use the mod_authn_anon module, but it insisted on asking the
> browser for the username (and thus a pointless login screen pops up on the
> browser), rather than reading the username as populated by FakeBasicAuth.
> It looks like FakeBasicAuth is either not doing anything, or is doing what
> it does too late in the process to be effective.

It would be interesting, why. While looking at the code, it should work,
theoretically. Does the error log say anything?

nd

Re: FakeBasicAuth - a howto anywhere?

Posted by Graham Leggett <mi...@sharp.fm>.

Dirk-Willem van Gulik said:

> Yes - by adding a module or using the auth_anon module. But this really
> should be cleaned up :-) and result in a credentials or facts listing
> passed around with the request - rather than those easily forged headers
> we add now internally (and the breakage when you do an internal redirect).

I tried to use the mod_authn_anon module, but it insisted on asking the
browser for the username (and thus a pointless login screen pops up on the
browser), rather than reading the username as populated by FakeBasicAuth.
It looks like FakeBasicAuth is either not doing anything, or is doing what
it does too late in the process to be effective.

Regards,
Graham
--

Re: FakeBasicAuth - a howto anywhere?

Posted by Dirk-Willem van Gulik <di...@webweaving.org>.

On Thu, 27 Jan 2005, Graham Leggett wrote:

> Read through the example - it requires a password file, which is redundant
> (we already keep track of the user's identity via client cert and CRL, we
> don't need to check again in a passwd file). Is there a way around this
> limitation?

Yes - by adding a module or using the auth_anon module. But this really
should be cleaned up :-) and result in a credentials or facts listing
passed around with the request - rather than those easily forged headers
we add now internally (and the breakage when you do an internal redirect).

Dw

Re: FakeBasicAuth - a howto anywhere?

Posted by Graham Leggett <mi...@sharp.fm>.

Mads Toftum said:

> Simple:
>
> SSLOptions +FakeBasicAuth
>
> And then turn on basic auth as you would for plain passwords.
> FakeBasicAuth will then act as if the user entered the certificate DN as
> user and password as password.
> There's an example in my mod_ssl talk from ApacheCon 2004 - see page 19
> of http://cvs.apache.org/~mads/ac2004/MO18mod_ssl.pdf

Read through the example - it requires a password file, which is redundant
(we already keep track of the user's identity via client cert and CRL, we
don't need to check again in a passwd file). Is there a way around this
limitation?

Regards,
Graham
--

Re: FakeBasicAuth - a howto anywhere?

Posted by Mads Toftum <ma...@toftum.dk>.

On Thu, Jan 27, 2005 at 12:40:56PM +0200, Graham Leggett wrote:
> The FakeBasicAuth SSLOption seems to be the solution - but the
> documentation only describes what FakeBasicAuth tries to achieve, but it
> doesn't explain how to actually use it.

Are you looking at FakeBasicAuth under
http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#ssloptions ?
> 
> Does someone have a config example of FakeBasicAuth in action? Once I know
> how, I will update the docs to be more clear.
> 
Simple:

SSLOptions +FakeBasicAuth

And then turn on basic auth as you would for plain passwords.
FakeBasicAuth will then act as if the user entered the certificate DN as
user and password as password.
There's an example in my mod_ssl talk from ApacheCon 2004 - see page 19
of http://cvs.apache.org/~mads/ac2004/MO18mod_ssl.pdf

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall