| Revision History - last updated January 16, 2007
mod_auth++ was developed for Apache 2.0. I have not updated mod_auth.c to reflect the changes in Apache 2.2. I do not plan to do so. CHS
mod_auth++
"mod_auth++" started with my frustration with existing
authorization mechanisms that are available with standard browsers (IE,
et al) and web servers (Apache, IIS, et al).
I wanted to be able to control access to web cams, photographs,
and other "static" content on my web servers in ways that seemed
impractical with the commonly used mechanisms.
After investigating and thinking, I said
"I think I have come up with a secure scheme for new authentication
and access control mechanisms that will integrate nicely with existing
web browsers and servers.
It seems to fit nicely with the Apache web server.
There seems to be a natural way to do equivalent things with
Microsoft's IIS.
This is a meaningful discovery if, as it seems, there is a way
to provide improved authentication and access control mechanisms that
fit well with existing code.
It will be a victory for software architecture if this works without a
huge coding effort."
I think I have succeeded, at least with IE and Apache, and believe
what I call "mod_auth++" will also work with other browsers and
servers. This document will describe what I've done, how mod_auth++
might be used, and the limitations and problems I've recognized.
Current Environment
There are three current approaches to web authorization and authentication
that I consider meaningful:
- "Basic Access Authentication" as defined in
RFC 2617
and implemented in most serious browsers and servers.
- Microsoft IE and IIS implement
"Integrated Windows Authentication"
(formerly called "NTLM", and also referred to as
"Windows NT Challenge/Response authentication").
The pervasiveness of IE and IIS make this approach important even if it is
only viable with IE and IIS.
- Application(-server) specific implementations. These are typically
specific to a particular application(-server) but likely support popular
browsers in addition to IE and may be portable to different server
environments.
Basic Access Authentication is widely deprecated as insecure (even in
RFC 2617!) because, in non-encyrpted environments, it is
trivial to capture the User ID and Password. However, if encryption
(typically, TLS a.k.a. SSL) is used, then Basic Authentication
can be secure.
Except for encrypted Basic Authentication, there are no
satisfactory approaches that seem to have any chance of becoming even
de facto standards.
For completeness, there are other approaches I should mention:
- RFC 2617 defines "Digest Access Authentication",
which is architecturally superior to Basic Authentication, and
can be secure even without encryption.
Unfortunately, Microsoft's implementations of Digest have
traditionally been flawed. See Additional
Internet Explorer/Apache Problems Surface by Timothy Dyck,
for example. Private correspondence with reliable Microsoft sources
suggests that these flaws will never be addressed.
- Microsoft continues to add new approaches. See Web
Site Authentication for a recent discussion. However, it
seems unlikely that any of these Microsoft-specific approaches will
be significantly adopted for use with other browsers and servers.
- There are at least two additional Apache-specific approaches.
I explored two of these before developing mod_auth++, so I will
describe them in more detail in describing mod_auth++.
Additional Flexibility and
Capabilities
If you accept that encrypted Basic Authentication is secure, then the
biggest problems with Basic are inflexibility and administrator overhead.
Understandably, in the tradition of the corresponding operating systems
mechanisms, Basic assumes that an administrator establishes a User ID
and Password. Neither of these are easily managed by the individual being
authorized. This is true both in the Apache and the IIS implementations.
(Aside -- similar inflexibility is also present with Integrated Windows
Authentication.)
Based on my own experience implementing application-specific approaches for
several applications, my observation of application-specific
implementations at a wide variety of web sites, and my own desires,
I've defined three new modes of Basic Authentication and implemented
them in my own version of Apache's mod_auth.c module, the one that
implements Basic authentication in Apache.
(Aside -- see
https://technologists.com/mod_auth++/ for a
directory listing of the files I cite here,
https://technologists.com/mod_auth++/mod_auth.c.2.0.48 for the unmodified Apache 2.0.48 version of
mod_auth.c, and
https://technologists.com/mod_auth++/mod_auth.c for the mod_auth++ version of mod_auth.c.
Though I have only applied the new modes to mod_auth.c, mod_auth_dbm.c
would probably be a better vehicle for these modes.)
These are the modes defined in the mod_auth++ version of mod_auth.c.
You can experiment with them by clicking on the links, but beware
that you will want to close and re-open your browser, between trying
the different modes.
Note also, that the new modes require the User ID to at least resemble
an e-mail address.
Further, two of the modes (Confirm and Approve) are two step
modes, in that they require that you
confirm your e-mail address and password between steps.
Matthew Gregg at the mod_auth_any
project kindly pointed me at their approach to avoiding the problem of Logging out When Using
.htaccess Authentication.
I integrated this approach with mod_auth++ and was delighted!
Unfortunately, an update to Internet Explorer breaks that approach --
with current IE it is necessary to exit the browser entirely and then
reopen the browser to proceed.
With other current browsers it should not be necessary for you to
close/repen within two-step modes (Confirm and/or Approve).
- Traditional -
traditional Basic Authentication. Use User ID "guest" and
Password "guest" if you wish to test this mode.
- Ignore - ignore the
Password
- Approve - you supply your own Password. However, the Password
will not work further until an administrator grants access.
(The administrator may, of course, refuse to grant access.)
In this example directory, the first step is
request.html and the
second step is approve.html.
An example "content" file that is accessible if and only if
the two step process has worked and an administrator has approved
access is approved.html.
- Confirm - you supply your own Password and it is accepted without
administrator intervention.
(The administrator may, of course, subsequently revoke access.)
In this example directory, the first step is
initial.html and the
second step is confirm.html.
An example "content" file that is accessible if and only if
the two step process has worked and an administrator has not revoked
access is confirmed.html.
Status, Background and Limitations
First, I consider what I have done so far to be beta-level, both
this document and the code. I intend to pursue both the code and the
documentation further, but have no specific time-table for doing so.
Second, I should admit that Traditional, Ignore, and Approve
are the only modes I've used for production purposes, so far.
Third, I should say more about how/why the modes are the way they are.
Part of the original inspiration for mod_auth++ came from Apache's
mod_auth_anon.c module, which implements "anonymous"
authentication analogous to traditional anonymous FTP. However, the
user model, since it is like traditional anonymous FTP, is wrong for
the web -- there is no reason the user should have to type
"anonymous" or any other ID, except for their e-mail address.
Further, both for
the user's sake and the underlying implementation, the e-mail
address should go in the User ID field, not the Password field.
mod_auth_anon.c claims that it will record the e-mail address in the error
log, but this is untrue and unfixable, in my opinion.
Besides, the e-mail address should go in the access log, just
like any other User ID would in Basic Authentication.
I looked at mod_auth_any,
which is a generic authentication module for Apache. At the time, it
looked like mod_auth_any was in hiatus. I see now that there have been
some updates since I looked before, so I was apparently wrong.
However, mod_auth_any seemed too comprehensive and complex for what
I wanted at the time, and I didn't see any liklihood of an
analogous module being created for IIS.
I think the rationale behind Approve mode is fairly obvious. I've
been using Ignore mode to protect some web cams and photographs.
The only real protection Ignore mode has given these has been to keep them
out of search engines. I don't even have SSL turned on for those items.
I expect to turn on SSL and apply Approve mode to these items.
The rationale for Confirm mode is less clear, but I expect I will find
good use for it.
The biggest limitations I'm conscious of are:
- Making these things understandable to the inexperienced. Even Ignore
mode has caused troubles for people I've wanted to have access,
just because it wasn't obvious to them how to proceed.
- Some of the things in the code are not traditional to Apache and may
offend some. For Approve and Confirm modes to work, the code has
to be able to write to the
"Password" files. It uses flock() and tries to be careful,
but I imagine it will offend some anyway.
Implementation Notes
If you want to try mod_auth++ on your own server, please do.
The only real Apache files I've changed are mod_auth.c and
httpd.conf.
There's nothing unusual in what I do in httpd.conf.
If you have already built and installed 2.0.48, you should be able to
- copy my mod_auth.c to the modules/aaa directory
- make mod_auth.la
- copy .libs/mod_auth.so to the real location, e.g.,
cp .libs/mod_auth.so /usr/lib/httpd/modules/mod_auth.so
- restart httpd
I've put htaccess as a hard link to .htaccess in
https://technologists.com/mod_auth++/
so that you can see the one new directive (AuthUserControl).
Similarly, I've put hard links to the Password files in
https://technologists.com/mod_auth++/
so that their contents would be visible.
I should also point out that all of the Apache work I have done has been
in Linux. I have not tried any other flavors of *nix and have not tried to
pursue making this work in Apache for Windows. However, I have tried to
think about this and believe it can be made to work in Apache for Windows.
Similarly, I have not done anything to make any of this work in
IIS, but believe it would be reasonable to do so.
Revision History
- Apache 2.2 disclaimer - January 16, 2007
- IE/documentation change - March 1, 2005
- Add Javascript to detect IE and handle two-step modes to accomodate
breakage of nph-logout.cgi with latest updates to IE.
- Beta 1 - February 2, 2004
- Corrections and enhancements to this page
- maasuccess.html and macsuccess.html use a <meta> tag to
redirect to the second step pages, approve.html and
confirm.html, respectively.
Without this redirection, the second step of the Approve and
Confirm modes was not occurring.
- There seemed to be a file pointer not being kept accurately in
mod_auth.c, resulting in scrambled password files. I'm
not certain about this. It may be that there is no problem or
it may be that I don't have adequate test cases yet and
there is still a problem.
- Beta 0 - October 31, 2003
- Added mod_auth_any approach to avoid need to close/reopen
browser for two step modes (Approve and Confirm).
- Miscellaneous small fixes and enhancements
- Alpha - October 20, 2003
|
[koko] tales of sensory power in today’s worldNovember 26, 2024
USA choice: self-obsession or beacon of hope?November 4, 2024
always a technician – thanks to Mom & Uncle ClintJuly 8, 2024
[koko] rarely one to avoid controversy…May 28, 2024
[koko] knowing and accepting limitationsFebruary 6, 2024
[koko] keeping warmAugust 7, 2023
[koko] still learningJune 18, 2023
Roe is gone, one more roundJune 28, 2022
“just as good as Caruso” – props for Kim Wilson & Charlie McCoyMay 5, 2022
Mel West, engaging people to help people in NicaraguaApril 25, 2022
Glimpses from the Vulcan, 1969-70February 14, 2022
[koko] MISP 2022Janary 10, 2022
Why I continue to serve — I remember NicaraguaDecember 13, 2021
Making private 1960s and 70s recordings publicAugust 21, 2021
Jimmie Vaughan set w/ Storm track I recordedAugust 4, 2021
Celebrate Ramblin' Jack Elliott's 90th 91st 92nd 93rd birthday!August 1, 2024
[koko] LP digitizing milestone approachingMay 18, 2021
remembering Denny FreemanApril 28, 2021
[koko] Dell Unix sustainable!January 19, 2021
Computer Systems Performance ModelingAugust 25, 2020
Remembering RESQAugust 25, 2020
[koko] (welcome to …) eight Jurassic O.S. on 1992 Dell 486D/50September 26, 2019
[koko] reviving timbl's WorldWideWeb browserJuly 1, 2019
[koko] exploring NEXTSTEP 486July 1, 2019
1992 JAWS demo for Stewart CheifetMay 17, 2019
Let's start at the very beginning... 801, ROMP, RT/PC, AIX versionsMarch 8, 2017
NeXT, give Steve a little credit for the WebOctober 8, 2011
Mainstream Videoconferencing available againFebruary 14, 2008
A brief history of Dell UNIXJanuary 10, 2008
|