interface of the 2.1 authentication framework / behaviour of mod_digest/mod_basic

[Axel Grossklaus <ag...@pre-secure.de>]

moin,

i am currently working on mod_authn_dbi (part of the 2.1 Authentication
Project http://mod-auth.sourceforge.net/) which uses the new
authentication framework of apache 2.1. and was wondering if it
was still possible to suggest changes to its interface.

i would like the interface to allow modules to change the username
during the authentication process from the value that was passed by the
browser to some other value that will be used as authenticated user
further down the chain.

an example scenario: suppose you have users who purchased different
kinds of support contracts (e.g gold/silver/bronze) from you, and
get access to different kinds of files/info accoding to their level.
in such a scenario, you would still want each user to have a
separate user/pw tuple, but to the access-control logic it does
not matter what name the user has, just what level of support
should be granted. so the authentication module could take the user/pw
tuple, check it and then pass usernames like "gold", "silver", "bronze"
down to other modules or CGIs.
i know that some of this could be done with something like GroupFile,
but that would require generating groupfiles, and even if authz
had database support, would require a second database query.

another example: suppose you have a webserver that accepts connections
from different networks, and based on where the connections come from
you could modify the usernames like "joe" to "joe_internal",
"joe_external"
(the same thing could e.g be done time-based).

third example: suppose you would like users to be able to log in with
their full name (including spaces), or email-address or something else
that contains characters that your underlying application does
not like. the authentication provider could change/reformat the username
into something that a CGI can better work with.

i could think of a few more examples but i think you get the idea.

i admit, that most of this functionality could be achieved in other
ways. but this should be better for performance, a lot more flexible
and very handy if you need to work with some existing application or
userbase that you cannot really change. and the required
changes for this are very small, with virtually no
downside, compared to what the interface is now.

to integrate this, two things would have to be changed.

first, the two authentication functions of the new interface
(get_realm_hash and check_password)
would have to pass the username with an additional
level of indirection ("char *user" becomes "char **user").
second, some cleanups in mod_auth_digest would have to be done,
which brings me to the second part of this mail:

currently, mod_auth_basic and mod_auth_digest behave inconsistently
in some cases. for example, if i enter a wrong user/pw combination,
mod_auth_basic writes the following logline (i.e. without a username)

127.0.0.1 - - [13/Feb/2004:15:20:55 +0100] "GET /foo/index.html
HTTP/1.1" 401 540

but mod_auth_digest logs the following line (i.e. with username):

127.0.0.1 - foo [13/Feb/2004:15:20:43 +0100] "GET /foo/index.html
HTTP/1.1" 401 540


there are reasons for either behaviour, but in my opinion, the two
modules should log the same, especially since the new AAA framework
separates mechanism from providers.

another inconsistency would be that if the authentication provider
reports and internal error, mod_auth_basic produces an "internal server
error" whereas mod_auth_diges produces a "user not found" message, both
to the client an in the logs.

there are probably other edge cases where the two modules behave
inconsistenly. ideally, if i change the paramter of AuthType,
other things should stay the same in every possible way.

so...would there be a chance that the authentication functions
get that small change (i.e. an extra *) in their parameters?
it still is a development version of apache after all.

if yes, i would be happy to write a patch (or patches) to make the
changes, adjust all existing modules in the apache sourcetree and
make the necessary cleanups in mod_auth_digest.

i just thought i'd ask if there is any chance in getting the patch
accepted, before i start coding :-)



tty, axel grossklaus

Re: interface of the 2.1 authentication framework / behaviour of mod_digest/mod_basic

[Dirk-Willem van Gulik <di...@asemantics.com>]

On Feb 16, 2004, at 12:11 AM, André Malo wrote:

> * Axel Grossklaus <ag...@pre-secure.de> wrote:
>
>> moin,
>
> Moin Moin ;-)
>
>> i would like the interface to allow modules to change the username
>> during the authentication process from the value that was passed by 
>> the
>> browser to some other value that will be used as authenticated user
>> further down the chain.
>
> I'd guess there's question what do you want to change when. In digest
> authentication the username is an integral part of the hashed data, so 
> you
> cannot change it during the authentication stage.
>
Depending on exactly what you want to do (and to what extend you control
the order of the modules during deployment) other tricks include setting
fake headers (which you application picks) up or using per-request
prviate module space (or r->notes if you are lazy) to mark a request; 
and
then (assuming you are last) set r->user different moments before 
cgi/handler
or control is handed over to the application. It is not uncommon to 
'spoof'
r->user to note, say, the data from an auth certificate or some ldap 
info
you got trough a rsa-securid login. But it is generally BETTER to add a
extra header or an extra env-var; and certainly cleaner.

Dw.

Re: interface of the 2.1 authentication framework / behaviour of mod_digest/mod_basic

[Axel Grossklaus <ag...@pre-secure.de>]

André Malo wrote:

moin,

> I'd guess there's question what do you want to change when. In digest
> authentication the username is an integral part of the hashed data, so you
> cannot change it during the authentication stage.
> 
> Does that change anything in your proposal?

not really. i know that digest is going to be a bit tricky, but
it should be possible to make the changes without breaking
digest authentication.

i had a rough look over the digest sources and the proposed additional
level of indirection, together with some minor modifications
to mod_digest, should suffice.

i have not made really detailed plans on what needs to be
changed how.

as i said, the main reason of the first mail was to find out
if

a) changes to the current interface for authentication
   modules would be considered at all.

b) the proposed extra functionality would be considered
   useful in the apache code.

just to prevent investing a lot of work and then
being told "yeah, nice patch. unfortunately we will
not accept any changes to the authentication interface".

of course, i do not expect a definite "yes" or "no" at this point.
a "changes are not completely out of the question and if
we like your implementation we will consider adding it" would be
enough...



tty, axel

Re: interface of the 2.1 authentication framework / behaviour of mod_digest/mod_basic

[André Malo <nd...@perlig.de>]

* Axel Grossklaus <ag...@pre-secure.de> wrote:

> moin,

Moin Moin ;-)

> i would like the interface to allow modules to change the username
> during the authentication process from the value that was passed by the
> browser to some other value that will be used as authenticated user
> further down the chain.

I'd guess there's question what do you want to change when. In digest
authentication the username is an integral part of the hashed data, so you
cannot change it during the authentication stage.

Does that change anything in your proposal?

nd

Re: interface of the 2.1 authentication framework / behaviour of mod_digest/mod_basic

[Justin Erenkrantz <ju...@erenkrantz.com>]

--On Friday, February 20, 2004 8:09 PM +0000 Patrick Welche 
<pr...@newn.cam.ac.uk> wrote:

> Just an off-the-cuff remark: How does this tie in with say SASL
> (old page at: http://asg.web.cmu.edu/sasl/) ?
> (vision of mod_sasl, then plug in any old authentication method
> into that)

SASL is more generic than our auth framework (which could be good or bad!). 
However, the Cyrus SASL implementation apparently isn't thread-safe and 
doesn't mesh well with the pool memory model.  Greg Hudson tried to implement 
SASL for some code in Subversion (ra_svn) and gave up.  httpd-2.x would have 
the same issues as both use APR.

So, to use SASL, we'd need a ground-up thread-safe SASL library; that's not 
something I'm terribly interested in.  ;-)  -- justin

Re: interface of the 2.1 authentication framework / behaviour of mod_digest/mod_basic

[Patrick Welche <pr...@newn.cam.ac.uk>]

On Fri, Feb 13, 2004 at 06:28:34PM +0100, Axel Grossklaus wrote:
> 
> i am currently working on mod_authn_dbi (part of the 2.1 Authentication
> Project http://mod-auth.sourceforge.net/) which uses the new
> authentication framework of apache 2.1. and was wondering if it
> was still possible to suggest changes to its interface.

Just an off-the-cuff remark: How does this tie in with say SASL
(old page at: http://asg.web.cmu.edu/sasl/) ?
(vision of mod_sasl, then plug in any old authentication method
into that)


Cheers,

Patrick

Re: interface of the 2.1 authentication framework / behaviour of mod_digest/mod_basic

[Justin Erenkrantz <ju...@erenkrantz.com>]

--On Thursday, February 19, 2004 12:18 PM -0500 Geoffrey Young 
<ge...@modperlcookbook.org> wrote:

> yeah, that would certainly be a good idea. give the attached patches a
> whirl and see if they work for you.  feedback from justin or others that
> are familiar appreciated :)

Looks fine here.  ;-)  Thanks!  -- justin

Re: interface of the 2.1 authentication framework / behaviour of mod_digest/mod_basic

[Axel Grossklaus <ag...@pre-secure.de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Geoffrey Young wrote:

moin,

> yeah, that would certainly be a good idea. give the attached patches a
whirl
> and see if they work for you.  feedback from justin or others that are
> familiar appreciated :)


thanks. that takes care of one half of my mail.

how about the other half, i.e. change of the auth-interface?

i would be really happy to get some feedback on that...

justin maybe?


tty, axel

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAOxeLHAHtNfez9GYRAiGYAKCIqXuSBAzLhaH4PKrHRyzq5EgrRwCdEu+2
eHIeVkaUQsTCN7RTi52lL5w=
=HGhr
-----END PGP SIGNATURE-----

Re: interface of the 2.1 authentication framework / behaviour of mod_digest/mod_basic

[Geoffrey Young <ge...@modperlcookbook.org>]

> currently, mod_auth_basic and mod_auth_digest behave inconsistently
> in some cases. for example, if i enter a wrong user/pw combination,
> mod_auth_basic writes the following logline (i.e. without a username)

...

> another inconsistency would be that if the authentication provider
> reports and internal error, mod_auth_basic produces an "internal server
> error" whereas mod_auth_diges produces a "user not found" message, both
> to the client an in the logs.
> 
> there are probably other edge cases where the two modules behave
> inconsistenly. ideally, if i change the paramter of AuthType,
> other things should stay the same in every possible way.

yeah, that would certainly be a good idea. give the attached patches a whirl
and see if they work for you.  feedback from justin or others that are
familiar appreciated :)

--Geoff