skip past navigation links
pixel

Technologists (P6 die photo) about archives notes tidbits (RSS) music vidconf.net

Technologists.com
pixel
home > mod_auth++
Distance Multimedia: 4 score & more

pixel
pixel

Revision History - last updated January 16, 2007
pixel
mod_auth++ was developed for Apache 2.0. I have not updated mod_auth.c to reflect the changes in Apache 2.2. I do not plan to do so. CHS
pixel
mod_auth++
pixel
pixel "mod_auth++" started with my frustration with existing authorization mechanisms that are available with standard browsers (IE, et al) and web servers (Apache, IIS, et al). I wanted to be able to control access to web cams, photographs, and other "static" content on my web servers in ways that seemed impractical with the commonly used mechanisms. After investigating and thinking, I said permanent reference link "I think I have come up with a secure scheme for new authentication and access control mechanisms that will integrate nicely with existing web browsers and servers. It seems to fit nicely with the Apache web server. There seems to be a natural way to do equivalent things with Microsoft's IIS. This is a meaningful discovery if, as it seems, there is a way to provide improved authentication and access control mechanisms that fit well with existing code. It will be a victory for software architecture if this works without a huge coding effort." I think I have succeeded, at least with IE and Apache, and believe what I call "mod_auth++" will also work with other browsers and servers. This document will describe what I've done, how mod_auth++ might be used, and the limitations and problems I've recognized.
pixel
Current Environment
pixel
pixel There are three current approaches to web authorization and authentication that I consider meaningful:
  • "Basic Access Authentication" as defined in RFC 2617 and implemented in most serious browsers and servers.
  • Microsoft IE and IIS implement "Integrated Windows Authentication" (formerly called "NTLM", and also referred to as "Windows NT Challenge/Response authentication"). The pervasiveness of IE and IIS make this approach important even if it is only viable with IE and IIS.
  • Application(-server) specific implementations. These are typically specific to a particular application(-server) but likely support popular browsers in addition to IE and may be portable to different server environments.
Basic Access Authentication is widely deprecated as insecure (even in RFC 2617!) because, in non-encyrpted environments, it is trivial to capture the User ID and Password. However, if encryption (typically, TLS a.k.a. SSL) is used, then Basic Authentication can be secure.
pixel

pixel Except for encrypted Basic Authentication, there are no satisfactory approaches that seem to have any chance of becoming even de facto standards. For completeness, there are other approaches I should mention:
  • RFC 2617 defines "Digest Access Authentication", which is architecturally superior to Basic Authentication, and can be secure even without encryption. Unfortunately, Microsoft's implementations of Digest have traditionally been flawed. See Additional Internet Explorer/Apache Problems Surface by Timothy Dyck, for example. Private correspondence with reliable Microsoft sources suggests that these flaws will never be addressed.
  • Microsoft continues to add new approaches. See Web Site Authentication for a recent discussion. However, it seems unlikely that any of these Microsoft-specific approaches will be significantly adopted for use with other browsers and servers.
  • There are at least two additional Apache-specific approaches. I explored two of these before developing mod_auth++, so I will describe them in more detail in describing mod_auth++.
Additional Flexibility and Capabilities
pixel
pixel If you accept that encrypted Basic Authentication is secure, then the biggest problems with Basic are inflexibility and administrator overhead. Understandably, in the tradition of the corresponding operating systems mechanisms, Basic assumes that an administrator establishes a User ID and Password. Neither of these are easily managed by the individual being authorized. This is true both in the Apache and the IIS implementations. (Aside -- similar inflexibility is also present with Integrated Windows Authentication.)
pixel
pixel Based on my own experience implementing application-specific approaches for several applications, my observation of application-specific implementations at a wide variety of web sites, and my own desires, I've defined three new modes of Basic Authentication and implemented them in my own version of Apache's mod_auth.c module, the one that implements Basic authentication in Apache.
(Aside -- see https://technologists.com/mod_auth++/ for a directory listing of the files I cite here, https://technologists.com/mod_auth++/mod_auth.c.2.0.48 for the unmodified Apache 2.0.48 version of mod_auth.c, and https://technologists.com/mod_auth++/mod_auth.c for the mod_auth++ version of mod_auth.c. Though I have only applied the new modes to mod_auth.c, mod_auth_dbm.c would probably be a better vehicle for these modes.)
These are the modes defined in the mod_auth++ version of mod_auth.c. You can experiment with them by clicking on the links, but beware that you will want to close and re-open your browser, between trying the different modes. Note also, that the new modes require the User ID to at least resemble an e-mail address. Further, two of the modes (Confirm and Approve) are two step modes, in that they require that you confirm your e-mail address and password between steps. Matthew Gregg at the mod_auth_any project kindly pointed me at their approach to avoiding the problem of Logging out When Using .htaccess Authentication. I integrated this approach with mod_auth++ and was delighted! Unfortunately, an update to Internet Explorer breaks that approach -- with current IE it is necessary to exit the browser entirely and then reopen the browser to proceed. With other current browsers it should not be necessary for you to close/repen within two-step modes (Confirm and/or Approve).
  1. Traditional - traditional Basic Authentication. Use User ID "guest" and Password "guest" if you wish to test this mode.
  2. Ignore - ignore the Password
  3. Approve - you supply your own Password. However, the Password will not work further until an administrator grants access. (The administrator may, of course, refuse to grant access.) In this example directory, the first step is request.html and the second step is approve.html. An example "content" file that is accessible if and only if the two step process has worked and an administrator has approved access is approved.html.
  4. Confirm - you supply your own Password and it is accepted without administrator intervention. (The administrator may, of course, subsequently revoke access.) In this example directory, the first step is initial.html and the second step is confirm.html. An example "content" file that is accessible if and only if the two step process has worked and an administrator has not revoked access is confirmed.html.
Status, Background and Limitations
pixel
pixel First, I consider what I have done so far to be beta-level, both this document and the code. I intend to pursue both the code and the documentation further, but have no specific time-table for doing so. Second, I should admit that Traditional, Ignore, and Approve are the only modes I've used for production purposes, so far. Third, I should say more about how/why the modes are the way they are.
pixel
pixel Part of the original inspiration for mod_auth++ came from Apache's mod_auth_anon.c module, which implements "anonymous" authentication analogous to traditional anonymous FTP. However, the user model, since it is like traditional anonymous FTP, is wrong for the web -- there is no reason the user should have to type "anonymous" or any other ID, except for their e-mail address. Further, both for the user's sake and the underlying implementation, the e-mail address should go in the User ID field, not the Password field. mod_auth_anon.c claims that it will record the e-mail address in the error log, but this is untrue and unfixable, in my opinion. Besides, the e-mail address should go in the access log, just like any other User ID would in Basic Authentication.
pixel
pixel I looked at mod_auth_any, which is a generic authentication module for Apache. At the time, it looked like mod_auth_any was in hiatus. I see now that there have been some updates since I looked before, so I was apparently wrong. However, mod_auth_any seemed too comprehensive and complex for what I wanted at the time, and I didn't see any liklihood of an analogous module being created for IIS.
pixel
pixel I think the rationale behind Approve mode is fairly obvious. I've been using Ignore mode to protect some web cams and photographs. The only real protection Ignore mode has given these has been to keep them out of search engines. I don't even have SSL turned on for those items. I expect to turn on SSL and apply Approve mode to these items. The rationale for Confirm mode is less clear, but I expect I will find good use for it.
pixel
pixel The biggest limitations I'm conscious of are:
  • Making these things understandable to the inexperienced. Even Ignore mode has caused troubles for people I've wanted to have access, just because it wasn't obvious to them how to proceed.
  • Some of the things in the code are not traditional to Apache and may offend some. For Approve and Confirm modes to work, the code has to be able to write to the "Password" files. It uses flock() and tries to be careful, but I imagine it will offend some anyway.
Implementation Notes
pixel
pixel If you want to try mod_auth++ on your own server, please do. The only real Apache files I've changed are mod_auth.c and httpd.conf. There's nothing unusual in what I do in httpd.conf. If you have already built and installed 2.0.48, you should be able to
  • copy my mod_auth.c to the modules/aaa directory
  • make mod_auth.la
  • copy .libs/mod_auth.so to the real location, e.g., cp .libs/mod_auth.so /usr/lib/httpd/modules/mod_auth.so
  • restart httpd
I've put htaccess as a hard link to .htaccess in https://technologists.com/mod_auth++/ so that you can see the one new directive (AuthUserControl). Similarly, I've put hard links to the Password files in https://technologists.com/mod_auth++/ so that their contents would be visible.
pixel
pixel I should also point out that all of the Apache work I have done has been in Linux. I have not tried any other flavors of *nix and have not tried to pursue making this work in Apache for Windows. However, I have tried to think about this and believe it can be made to work in Apache for Windows. Similarly, I have not done anything to make any of this work in IIS, but believe it would be reasonable to do so.
pixel
Revision History
Apache 2.2 disclaimer - January 16, 2007
IE/documentation change - March 1, 2005
  • Add Javascript to detect IE and handle two-step modes to accomodate breakage of nph-logout.cgi with latest updates to IE.
Beta 1 - February 2, 2004
  • Corrections and enhancements to this page
  • maasuccess.html and macsuccess.html use a <meta> tag to redirect to the second step pages, approve.html and confirm.html, respectively. Without this redirection, the second step of the Approve and Confirm modes was not occurring.
  • There seemed to be a file pointer not being kept accurately in mod_auth.c, resulting in scrambled password files. I'm not certain about this. It may be that there is no problem or it may be that I don't have adequate test cases yet and there is still a problem.
Beta 0 - October 31, 2003
  • Added mod_auth_any approach to avoid need to close/reopen browser for two step modes (Approve and Confirm).
  • Miscellaneous small fixes and enhancements
Alpha - October 20, 2003
  • Initial public version.

pixel

pixel
pixel


Back to Top

Copyright © 1995-2016 Charles H. Sauer. All rights reserved.

pixel