You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modules-dev@httpd.apache.org by Mark Constable <ma...@renta.net> on 2007/06/09 07:42:06 UTC
Patch for mod_authn_dbd plaintext auth
I need this, not sure if it's of value to anyone else?
--- httpd-2.2.4/modules/aaa/mod_authn_dbd.c.orig 2006-07-12 03:38:44.000000000 +0000
+++ httpd-2.2.4/modules/aaa/mod_authn_dbd.c 2007-06-09 05:35:33.000000000 +0000
@@ -29,6 +29,7 @@
typedef struct {
const char *user;
const char *realm;
+ int plaintext;
} authn_dbd_conf;
typedef struct {
const char *label;
@@ -51,6 +52,7 @@
authn_dbd_conf *ret = apr_palloc(pool, sizeof(authn_dbd_conf));
ret->user = (add->user == NULL) ? base->user : add->user;
ret->realm = (add->realm == NULL) ? base->realm : add->realm;
+ ret->plaintext = (add->plaintext == NULL) ? base->plaintext : add->plaintext;
return ret;
}
static const char *authn_dbd_prepare(cmd_parms *cmd, void *cfg, const char *query)
@@ -80,6 +82,9 @@
AP_INIT_TAKE1("AuthDBDUserRealmQuery", authn_dbd_prepare,
(void *)APR_OFFSETOF(authn_dbd_conf, realm), ACCESS_CONF,
"Query used to fetch password for user+realm"),
+ AP_INIT_FLAG("AuthDBDPlaintext", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(authn_dbd_conf, plaintext), ACCESS_CONF,
+ "Query used to fetch plaintext passwords"),
{NULL}
};
static authn_status authn_dbd_password(request_rec *r, const char *user,
@@ -134,7 +139,11 @@
return AUTH_USER_NOT_FOUND;
}
- rv = apr_password_validate(password, dbd_password);
+ if (conf->plaintext) {
+ rv = (strcmp(password, dbd_password) == 0) ? APR_SUCCESS : APR_EMISMATCH;
+ } else {
+ rv = apr_password_validate(password, dbd_password);
+ }
if (rv != APR_SUCCESS) {
return AUTH_DENIED;
--markc
Re: Patch for mod_authn_dbd plaintext auth
Posted by Mark Constable <ma...@renta.net>.
On Saturday 09 June 2007 12:51:03 Brian J. France wrote:
> Would be useful for me! Pretty close to what I use:
>
> http://www.brianfrance.com/software/apache/mod_authn_dbd.c.diff
Doh! From over a year ago! I just shows (me) I should
have asked if anyone else on the list knew of anything
already available. But frankly, I didn't want to have to
put up with justifying why I would want plaintext passwds.
Your patch is more correct than mine so I'll adopt yours.
--markc
Re: Patch for mod_authn_dbd plaintext auth
Posted by "Brian J. France" <li...@firehawksystems.com>.
On Jun 9, 2007, at 1:42 AM, Mark Constable wrote:
> I need this, not sure if it's of value to anyone else?
Would be useful for me! Pretty close to what I use:
http://www.brianfrance.com/software/apache/mod_authn_dbd.c.diff
I agree with Nick that is should be moved up a level, but I think to
do that it would require a re-work of all authn modules.
Brian
Re: Patch for mod_authn_dbd plaintext auth
Posted by Mark Constable <ma...@renta.net>.
On Saturday 09 June 2007 14:09:22 Frank Jones wrote:
> > A crypted
> > (or better) password hash in a plain text .htaccess is a good
> > idea but a database is already a binary blob so both would
> > prevent trivial accidental viewing of passwords.
>
> This isn't directly relevant to your question, but I think it's
> important to point out that while sqlite databases are binary, they
> aren't really blobs. Try running "strings" on a sqlite database and
> you'll see what I mean.
Yes and hacking the crypted passwords in a .htaccess
file, these days, is only a step or two more complicated.
Both are only good enough to "prevent trivial accidental
viewing".
I was pleased to note that Brian F, over a year ago, has
also created a patch (and no one hacks on a module to
create a patch unless they *really* want the additonal
functionality) so that demonstrates there is indeed a
need for plaintext passwords.
The point here is should the apache devs deny this
functionality to apache users, because some of them think
it's not appropriate (policy not technical), when there
are obviously patch(es) available ?
On Saturday 09 June 2007 12:51:03 Brian J. France wrote:
> I agree with Nick that is should be moved up a level, but I think to
> do that it would require a re-work of all authn modules.
Would it be a reasonable compromise to accept this patch
in it's current state and then look into making the
appropriate modifications to higher authn layers at a
later stage ?
This approach has the benefit of getting feedback from
folks actually using plaintext passwords, in SQL backends
at least, and could provide more eyeballs on the issue
of migrating this change up the authn layer. Or, it
could prove this is a lame duck patch that no one wants
and just causes problems. I don't think the later but
incremental forward movement is not a bad approach.
--markc
Re: Patch for mod_authn_dbd plaintext auth
Posted by Frank Jones <jo...@gmail.com>.
On 6/9/07, Mark Constable <ma...@renta.net> wrote:
> I personally think it's a valid option to provide and I lean
> towards thinking it only applies to the DBD level. A crypted
> (or better) password hash in a plain text .htaccess is a good
> idea but a database is already a binary blob so both would
> prevent trivial accidental viewing of passwords.
This isn't directly relevant to your question, but I think it's
important to point out that while sqlite databases are binary, they
aren't really blobs. Try running "strings" on a sqlite database and
you'll see what I mean.
Re: Patch for mod_authn_dbd plaintext auth
Posted by Mark Constable <ma...@renta.net>.
On Saturday 09 June 2007 06:32:12 Nick Kew wrote:
> [ it's a bit off-topic in modules-dev. dev@httpd is where
> we discuss proposals for changes to httpd. Or if you have
> no such ambition but just want to share a patch, somewhere
> on the web is better than a mailinglist. A traditional
> way to do this is in bugzilla, though the wiki-faq might
> be a better solution now that it's available.]
Apologies. I assumed this was a list to discuss modules
for apache.
> Tip: what is the problem you're fixing?
I want apache to be able to do basic auth against any
SQL database that contains plain text passwords.
> You want to store plaintext passwords, that's your business.
> But why are plaintext passwords in SQL any different to
> plaintext passwords in, say, a DBM or flat file?
I just happened to hack my way thru this patch where
I particularly need it to work, mainly with sqlite. I
suspect no one else would want plain text passwords in
.htaccess files. I don't.
> An equivalent patch in mod_auth_basic would apply not just
> to passwords stored in SQL, but to passwords anywhere.
Obviously a matter of consensus if it was needed higher
up the module chain.
> Should we do that? Well, the case for it goes something
> like "We should support storing passwords in plaintext
> because [... make your case here ...]". If you convince
> people it adds value, then maybe we'll adopt it.
I use a common database for ftp, smtp, pop, imap and radius
dialup/adsl authentication and it *must* contain plaintext
passwords for RADIUS CHAP auth and SMTP auth (courier-mta).
Also, as an ISP, with 1000s of clients and limited support
staff, being able to view a clients login password and advise
that client (often via phone) what it is makes our lives much
easier than having to advise the client how to reset their
password in 1/2 dozen applications (far too time consuming).
There is no way we would go back to using encrypted passwords,
even if we could, the convenience factor is just too high.
I could add an extra otherwise redundant crypted password
field to my common database, just for web auth, or, hack on
apache until I don't need that otherwise redundant field.
I personally think it's a valid option to provide and I lean
towards thinking it only applies to the DBD level. A crypted
(or better) password hash in a plain text .htaccess is a good
idea but a database is already a binary blob so both would
prevent trivial accidental viewing of passwords. Neither of
them, even with encrypted passwords in the database, would
stop a dedicated hacker *if* security was of the utmost of
importance.
I would like to think the server admin should have choice of
whether the passwords stored in a database (and/or elsewhere)
are either plaintext or encrypted in some manner. None of the
other services I provide deny me the use of plaintext passwords.
--markc
Re: Patch for mod_authn_dbd plaintext auth
Posted by Nick Kew <ni...@webthing.com>.
On Sat, 9 Jun 2007 05:42:06 +0000
Mark Constable <ma...@renta.net> wrote:
> I need this, not sure if it's of value to anyone else?
[ it's a bit off-topic in modules-dev. dev@httpd is where
we discuss proposals for changes to httpd. Or if you have
no such ambition but just want to share a patch, somewhere
on the web is better than a mailinglist. A traditional
way to do this is in bugzilla, though the wiki-faq might
be a better solution now that it's available.
]
Tip: what is the problem you're fixing?
You want to store plaintext passwords, that's your business.
But why are plaintext passwords in SQL any different to
plaintext passwords in, say, a DBM or flat file?
An equivalent patch in mod_auth_basic would apply not just
to passwords stored in SQL, but to passwords anywhere.
Should we do that? Well, the case for it goes something
like "We should support storing passwords in plaintext
because [... make your case here ...]". If you convince
people it adds value, then maybe we'll adopt it.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/