You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modules-dev@httpd.apache.org by Michele Waldman <mm...@nyc.rr.com> on 2009/02/01 21:19:38 UTC
Making mod_auth_digest mysql
I hope I got the email correct. I'm trying to post to the mailing list.
I want to do the following in htaccess for account security:
<FilesMatch ".*[^(wp_login.php|logout.php)]">
SetEnvIf Authorization "^(.*)Account(.*)$" logged_in
Order Allow,Deny
Allow from env=logged_in
</FilesMatch>
<Files wp_login.php>
AuthType Basic
AuthName "Account"
require group account
</Files>
<Files logout.php>
AuthType Basic
AuthName "Leave"
require group leave
</Files>
Basic authentication doesn't "remember" the authtype, but Digest does.
Cookies are too insecure because they are readily editable.
I'm connecting over a secure certificate. I believe a user could possible
telnet and send an authorization header?
I want to know the risk of them getting or guessing the right AuthType under
these circumstances.
How vulnerable is the request authorization header?
Also, it seems to me I could rewrite mod_auth_digest to use mysql by
modifying the code recompiling and linking in the new object.
I haven't tried it yet, so I don't know the obstacles. I'd like to know if
this is a worthwhile endeavor first and how much of a security risk will be
introduced.
The point of this is to avoid the ugly popus that require authentication
causes.
Does anyone have any suggestions on a better approach?
Michele
Re: Making mod_auth_digest mysql
Posted by Eric Covener <co...@gmail.com>.
On Fri, Feb 6, 2009 at 12:35 PM, Eric Covener <co...@gmail.com> wrote:
> On Fri, Feb 6, 2009 at 12:10 PM, Michele Waldman <mm...@nyc.rr.com> wrote:
>> The isn't one. I'm talking about writing it.
>
> Not in the email I replied to, that you included in your reply.
Sorry, I'm finally grokking that you're trying to implement "-e".
> RewriteCond ${REMOTE_USER} !="" always evaluates to true if REMOTE_USER does
> not exist. Am I wrong?
Your syntax is wrong, RewriteLog might tell you you're comparing the
string with the dollar sign in it and not any actual substitution.
The following two work as expected for me, with the caveat about
%{REMOTE_USER} availability during per-vhostrewrite:
RewriteCond %{REMOTE_USER} !=""
and
Rewriteocnd %{ENV:DOESNOTEXIST} !=""
--
Eric Covener
covener@gmail.com
Re: Making mod_auth_digest mysql
Posted by Eric Covener <co...@gmail.com>.
On Fri, Feb 6, 2009 at 12:10 PM, Michele Waldman <mm...@nyc.rr.com> wrote:
> The isn't one. I'm talking about writing it.
Not in the email I replied to, that you included in your reply.
--
Eric Covener
covener@gmail.com
RE: Making mod_auth_digest mysql
Posted by Michele Waldman <mm...@nyc.rr.com>.
The isn't one. I'm talking about writing it.
-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: Friday, February 06, 2009 9:24 AM
To: modules-dev@httpd.apache.org
Subject: Re: Making mod_auth_digest mysql
On Fri, Feb 6, 2009 at 8:49 AM, Michele Waldman <mm...@nyc.rr.com>
wrote:
> I mean to check server environment variables which is what REMOTE_USER is.
This might be better off on users@httpd.apache.org
> I just want to know if the variable is defined on the server then I could
do
> this:
>
> RewriteEngine On
> RewriteCond %{REMOTE_USER} -e
I couldn't find any reference to "-e", to check if it's empty you can
do !="" or !^$
> RewriteRule ^(.*)$ - [S=1]
> RewriteRule ^.*$ http://domain/login.html [R]
>
> Right now when REMOTE_USER is not defined this line gets executed:
> RewriteRule ^(.*)$ - [S=1]
>
> I want that line to be skipped if REMOTE_USER has not been defined as a
> server environment variable.
In per-vhost context, that will never be set unless you use the
lookahead feature.
>
> You can see the values in phpinfo(); It is only defined if the user is
> logged in.
That processing is later, so REMOTE_USER may be set by then.
> Why would a nonexistent variable evaluate to true?
Unless i'm confused re: "-e", It seems like your "-e" would be
interpreted as a regex, but that shouldn't match an empty string
AFAICT.
--
Eric Covener
covener@gmail.com
Re: Making mod_auth_digest mysql
Posted by Eric Covener <co...@gmail.com>.
On Fri, Feb 6, 2009 at 8:49 AM, Michele Waldman <mm...@nyc.rr.com> wrote:
> I mean to check server environment variables which is what REMOTE_USER is.
This might be better off on users@httpd.apache.org
> I just want to know if the variable is defined on the server then I could do
> this:
>
> RewriteEngine On
> RewriteCond %{REMOTE_USER} -e
I couldn't find any reference to "-e", to check if it's empty you can
do !="" or !^$
> RewriteRule ^(.*)$ - [S=1]
> RewriteRule ^.*$ http://domain/login.html [R]
>
> Right now when REMOTE_USER is not defined this line gets executed:
> RewriteRule ^(.*)$ - [S=1]
>
> I want that line to be skipped if REMOTE_USER has not been defined as a
> server environment variable.
In per-vhost context, that will never be set unless you use the
lookahead feature.
>
> You can see the values in phpinfo(); It is only defined if the user is
> logged in.
That processing is later, so REMOTE_USER may be set by then.
> Why would a nonexistent variable evaluate to true?
Unless i'm confused re: "-e", It seems like your "-e" would be
interpreted as a regex, but that shouldn't match an empty string
AFAICT.
--
Eric Covener
covener@gmail.com
RE: Making mod_auth_digest mysql
Posted by Michele Waldman <mm...@nyc.rr.com>.
I mean to check server environment variables which is what REMOTE_USER is.
I just want to know if the variable is defined on the server then I could do
this:
RewriteEngine On
RewriteCond %{REMOTE_USER} -e
RewriteRule ^(.*)$ - [S=1]
RewriteRule ^.*$ http://domain/login.html [R]
Right now when REMOTE_USER is not defined this line gets executed:
RewriteRule ^(.*)$ - [S=1]
I want that line to be skipped if REMOTE_USER has not been defined as a
server environment variable.
You can see the values in phpinfo(); It is only defined if the user is
logged in.
Why would a nonexistent variable evaluate to true?
Michele
-----Original Message-----
From: Dave Ingram [mailto:dave@dmi.me.uk]
Sent: Friday, February 06, 2009 5:55 AM
To: modules-dev@httpd.apache.org
Subject: Re: Making mod_auth_digest mysql
The -f and -d flags for RewriteCond are for checking the file system,
not environment variables, although they can use environment variables
if necessary. For example:
RewriteCond %{DOCUMENT_ROOT}/%{ENV:foo} -d
would check that the folder named by the environment variable "foo"
exists in the document root.
Dave
Michele Waldman wrote:
> RewriteCond has flags -f -d ...
> But not -e for exists.
> It looks like:
> RewriteCond ${REMOTE_USER} !="" always evaluates to true if REMOTE_USER
does
> not exist. Am I wrong?
> I'm thinking about adding a -e flag for environment variable does not
exist
> to httpd on my server. It would return true if the variable exists or
> false, otherwise.
> Is there a way to already do this?
> Thoughts?
>
> Michele
>
>
>
Re: Making mod_auth_digest mysql
Posted by Dave Ingram <da...@dmi.me.uk>.
The -f and -d flags for RewriteCond are for checking the file system,
not environment variables, although they can use environment variables
if necessary. For example:
RewriteCond %{DOCUMENT_ROOT}/%{ENV:foo} -d
would check that the folder named by the environment variable "foo"
exists in the document root.
Dave
Michele Waldman wrote:
> RewriteCond has flags -f -d ...
> But not -e for exists.
> It looks like:
> RewriteCond ${REMOTE_USER} !="" always evaluates to true if REMOTE_USER does
> not exist. Am I wrong?
> I'm thinking about adding a -e flag for environment variable does not exist
> to httpd on my server. It would return true if the variable exists or
> false, otherwise.
> Is there a way to already do this?
> Thoughts?
>
> Michele
>
>
>
RE: Making mod_auth_digest mysql
Posted by Michele Waldman <mm...@nyc.rr.com>.
RewriteCond has flags -f -d ...
But not -e for exists.
It looks like:
RewriteCond ${REMOTE_USER} !="" always evaluates to true if REMOTE_USER does
not exist. Am I wrong?
I'm thinking about adding a -e flag for environment variable does not exist
to httpd on my server. It would return true if the variable exists or
false, otherwise.
Is there a way to already do this?
Thoughts?
Michele
Re: Making mod_auth_digest mysql
Posted by Bob Ionescu <bo...@googlemail.com>.
2009/2/1 Michele Waldman <mm...@nyc.rr.com>:
The userlist (http://httpd.apache.org/userslist.html) might be a
better place, but...
> I want to do the following in htaccess for account security:
>
> <FilesMatch ".*[^(wp_login.php|logout.php)]">
That would not do what it should do. [^...] is a negated character
class to exclude certain characters but not a specific string. You'll
need a negative lookahead
<FilesMatch "^(?!wp_login\.php|logout\.php)">
> Basic authentication doesn't "remember" the authtype, but Digest does.
AuthType? AuthName, I guess.
> I'm connecting over a secure certificate. I believe a user could possible
> telnet and send an authorization header?
I'd expect that you/your module would require SSL/TLS, but if a client
sends an authorization request header which contains 'Account', you'd
"authenticate". Not very secure?!
> I want to know the risk of them getting or guessing the right AuthType under
> these circumstances.
If you're requesting wp_login.php AuthName should be served. Of
course, someone needs to know that; you could perform a probability
calculation, of course. Expect the unexpected.
> The point of this is to avoid the ugly popus that require authentication
> causes.
How do you convince the client to send an authorization request
header? Via such a popup for wp_login.php. Once authenticated the
popup shouldn't appear for that session and realm but I guess your
point is that no one should see that they can authenticate except they
are using the back door link wp_login.php?
> Does anyone have any suggestions on a better approach?
May be. If my last assumption is your point modify/write an auth
module which replies with a
- 401
- for certain URLs (e.g. /wp_login.php) if no authorization header
was present or
- for all URLs if an authorization header was present but the
credentials didn't match;
or with a
- 403 if the condition for a 401 didn't match.
The bottom line would be that the client is either authenticated or
receives a 403 forbidden instead of a 401.
Bob