manuelkasper / mod_auth_pubtkt Goto Github PK

Hi,

According to the current version of the session ticket format specification, nothing is told on how the field udata should be handled if the user-supplied value contains a semicolon.

In my humble opinion, making ';' a forbidden character and specifying that the ticket generation MUST fail if the format condition is violated is the best compromise for backward compatibility.

The alternative would be to transparently escape the string in a format which needs to be determined (urlencode?), and specify how the ticket generator should behave when the escaped string exceeds 255 characters.

Kind regards,

If apache server is deployed behind a load balancer that provides TLS termination mod_auth_pubtkt is unable to correctly create redirect url (the one appended to the GET request) .

The request flow looks like this:

https request to LB with TLS termination ----> http request to Apache server with mod_auth_pubtkt

This PR fixes the problem: #34

In function pubtkt_decrypt_bauth(), the following line trims the password at the first colon it will meet:

The special case in which a password may contain one (or more) colon characters is covered in RFC7617 section 2:

[...] a user-id containing a colon character is invalid, as the first colon in a user-pass string separates user-id and password from one another; text after the first colon is part of the password.

Thus, user:a:password is decoded as a:password, not a.

One way to solve this issue is to apply the following instead:

$decrypted = trim($decrypted);
$pass = substr( $decrypted, strpos( $decrypted, ':')+1);

The code above will trim the decrypted string, locate the first colon, then return the substring after that colon.

They apparently added an additional parameter to the ap_unescape_url_keep2f function. According to a thread on the apache-dev mailing list from 2011 it looks like there just needs to be a ",1" added to the calls to preserve functionality.

Not sure how to go about fixing this other than adding some kind of horrible preprocessor conditional.

Hello there,
You might interested to know that a golang implementation of this apache module (which is not anymore in this implementation) exists, it can be found here: https://github.com/orange-cloudfoundry/go-auth-pubtkt

There is also support ticket encryption in the header or the cookie, Co-workers fork your version with this concept, I'm trying to make them create a pull request to integrate this here.

Hi,

We can't easily install a TKTAuthPassthruBasicKey with bytes containing non-printable/extended ASCII characters in the apache configuration. This reduces the effective key space from 128 bits to at most 104 bits (optimistic estimation).

I think such an improvement could be performed using something similar to the following code block, the difficulty being we don't have built-in/standard is_hex() and hex2bin() primitives in C:

static const char *setup_passthru_basic_key(cmd_parms *cmd, void *cfg, const char *param) {

	if (strlen(param) == PASSTHRU_AUTH_KEY_SIZE*2) {
		if( is_hex(param) ) {
			conf->passthru_basic_key = new char[PASSTHRU_AUTH_KEY_SIZE];
			memcpy( hex2bin(param, PASSTHRU_AUTH_KEY_SIZE*2), conf->passthru_basic_key, PASSTHRU_AUTH_KEY_SIZE);
			return NULL
		}
		return apr_psprintf(cmd->pool, "wrong format of passthru basic auth key");
	}

	if (strlen(param) != PASSTHRU_AUTH_KEY_SIZE)
		return apr_psprintf(cmd->pool, "wrong length of passthru basic auth key");

	conf->passthru_basic_key = param;
	
	return NULL;
}

In the PHP module, we can currently circumvent the issue using the \xHH escape sequence, but native support can be implemented since we already have hex2bin() beginning with PHP 5.4.0, and ctype_xdigit() since 4.0.4.

Kind regards

I'm not by any means knowledgeable in cryptography. But SHA1 seems to be considered deprecated for several uses. (DSA even more so). Would it make sense to add support for SHA256 and default to it?

Hello,

After some trails and (many) errors, I finally got mod_auth_pubtkt to work with Apache's mod_rewrite proxy.
The key is to copy the REMOTE_USER environment variable (set by mod_auth_pubtkt) into an HTTP header that will be transmitted through the proxy.

Hope this will help someone..

<VirtualHost *:80>
        ServerName myserver.cshl.edu

        TKTAuthPublicKey /path/to/public/key.pem

        DocumentRoot /var/www/html
        <Location />
                Order Allow,Deny
                Allow from all

                AuthType mod_auth_pubtkt
                TKTAuthLoginURL https://login.server.cshl.edu/
                TKTAuthTimeoutURL https://login.server.cshl.edu/?timeout=1
                TKTAuthUnauthURL https://login.server.cshl.edu/?unauth=1

                # alternatively:
                #       require valid-user
                require user [email protected]

                # Add the HTTP header "REMOTE_USER", based on "mod_auth_pubtkt"
                # REMOTE_USER environment variable.
                # (will be transmitted to be RewriteRule Proxy below.)
                RequestHeader set REMOTE_USER %{REMOTE_USER}e

        </Location>

        RewriteEngine on
        RewriteRule ^(.*) http://localhost:8080$1 [P]
</VirtualHost>

Without the RequestHeader, the proxy will not get the authenticated username, even though it did authenticate successfully through mod_auth_pubtkt .

-gordon

the command line generated to compile is:

/usr/share/apr/build/libtool --silent --mode=compile x86_64-pc-linux-gnu-gcc -prefer-pic -march=core2 -msse4 -mcx16 -mpopcnt -msahf -O2 -pipe -fomit-frame-pointer -DLINUX -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/apache2 -I/usr/include/apr-1 -l/usr/include/apr-1 -I/usr/include/db5.3 -g -O2 -I/usr/include/apache2 -DAPACHE24 -std=c99 -fms-extensions -c -o mod_auth_pubtkt.lo mod_auth_pubtkt.c && touch mod_auth_pubtkt.slo

I have to add #include "../config.h" to mod_auth_pubtkt.c in order to compile

I am using VirtualDocumentRoots in my Apache setup: http://httpd.apache.org/docs/2.2/vhosts/mass.html

Is it possible to create a unique TKTAuthToken for each Virtual Host?

For example:

foo.example.com -> /home/sites/foo - accessible by users with "foo" token
bar.example.com -> /home/sites/bar - accessible by users with "bar" token

Here is my conf:

<VirtualHost *:80>
    ServerAlias *.example.com
    VirtualDocumentRoot "/home/sites/%1/
    TKTAuthPublicKey /home/private/tkt_pubkey_dsa.pem
</VirtualHost>

<Directory "/home/sites/*">
   Order allow,deny
   AuthType mod_auth_pubtkt
   TKTAuthLoginURL http://login.example.com/
   TKTAuthTimeoutURL https://login.example.com/?timeout=1
   TKTAuthUnauthURL https://login.example.com/?unauth=1

   TKTAuthToken "?" - Unique for each site

   require valid-users
</Directory>

Hi,

We should consider adding support for elliptic curves to sign and verify session tickets to the Apache module.

For the record, I'm currently working on the upgrade of the PHP login portal utility, since it isn't compatible with PHP 7.3+ (because of the disappearance of mcrypt. I've used openssl's builtins to make a replacement), and the code I've done is already compatible with EC keys.

Kind regards,

The pubtkt_generate function sometimes results in an invalid signature (tested on php 7.2.7 on docker).

The cause for this is this line:

$sig = fread($pipes[1], 8192);

That should be replace with:

$sig = '';
while (!feof($pipes[1]))
  $sig = .= fread($pipes[1], 8192);

This has probably something to do with warning nr. 3 in the php manual for fread (http://php.net/manual/en/function.fread.php).