manuelkasper / mod_auth_pubtkt Goto Github PK
View Code? Open in Web Editor NEWA pragmatic Web Single Sign-On (SSO) solution
Home Page: https://neon1.net/mod_auth_pubtkt/
License: Other
A pragmatic Web Single Sign-On (SSO) solution
Home Page: https://neon1.net/mod_auth_pubtkt/
License: Other
Hi,
According to the current version of the session ticket format specification, nothing is told on how the field udata
should be handled if the user-supplied value contains a semicolon.
In my humble opinion, making ';' a forbidden character and specifying that the ticket generation MUST fail if the format condition is violated is the best compromise for backward compatibility.
The alternative would be to transparently escape the string in a format which needs to be determined (urlencode?), and specify how the ticket generator should behave when the escaped string exceeds 255 characters.
Kind regards,
If apache server is deployed behind a load balancer that provides TLS termination mod_auth_pubtkt is unable to correctly create redirect url (the one appended to the GET request) .
The request flow looks like this:
https request to LB with TLS termination ----> http request to Apache server with mod_auth_pubtkt
This PR fixes the problem: #34
In function pubtkt_decrypt_bauth(), the following line trims the password at the first colon it will meet:
mod_auth_pubtkt/php-login/pubtkt.inc
Line 267 in b305dff
The special case in which a password may contain one (or more) colon characters is covered in RFC7617 section 2:
[...] a user-id containing a colon character is invalid, as the first colon in a user-pass string separates user-id and password from one another; text after the first colon is part of the password.
Thus, user:a:password
is decoded as a:password
, not a
.
One way to solve this issue is to apply the following instead:
$decrypted = trim($decrypted);
$pass = substr( $decrypted, strpos( $decrypted, ':')+1);
The code above will trim the decrypted string, locate the first colon, then return the substring after that colon.
They apparently added an additional parameter to the ap_unescape_url_keep2f
function. According to a thread on the apache-dev mailing list from 2011 it looks like there just needs to be a ",1" added to the calls to preserve functionality.
Not sure how to go about fixing this other than adding some kind of horrible preprocessor conditional.
Hello there,
You might interested to know that a golang implementation of this apache module (which is not anymore in this implementation) exists, it can be found here: https://github.com/orange-cloudfoundry/go-auth-pubtkt
There is also support ticket encryption in the header or the cookie, Co-workers fork your version with this concept, I'm trying to make them create a pull request to integrate this here.
Hi,
We can't easily install a TKTAuthPassthruBasicKey with bytes containing non-printable/extended ASCII characters in the apache configuration. This reduces the effective key space from 128 bits to at most 104 bits (optimistic estimation).
I think such an improvement could be performed using something similar to the following code block, the difficulty being we don't have built-in/standard is_hex()
and hex2bin()
primitives in C:
static const char *setup_passthru_basic_key(cmd_parms *cmd, void *cfg, const char *param) {
if (strlen(param) == PASSTHRU_AUTH_KEY_SIZE*2) {
if( is_hex(param) ) {
conf->passthru_basic_key = new char[PASSTHRU_AUTH_KEY_SIZE];
memcpy( hex2bin(param, PASSTHRU_AUTH_KEY_SIZE*2), conf->passthru_basic_key, PASSTHRU_AUTH_KEY_SIZE);
return NULL
}
return apr_psprintf(cmd->pool, "wrong format of passthru basic auth key");
}
if (strlen(param) != PASSTHRU_AUTH_KEY_SIZE)
return apr_psprintf(cmd->pool, "wrong length of passthru basic auth key");
conf->passthru_basic_key = param;
return NULL;
}
In the PHP module, we can currently circumvent the issue using the \xHH
escape sequence, but native support can be implemented since we already have hex2bin() beginning with PHP 5.4.0, and ctype_xdigit() since 4.0.4.
Kind regards
I'm not by any means knowledgeable in cryptography. But SHA1 seems to be considered deprecated for several uses. (DSA even more so). Would it make sense to add support for SHA256 and default to it?
Hello,
After some trails and (many) errors, I finally got mod_auth_pubtkt
to work with Apache's mod_rewrite proxy.
The key is to copy the REMOTE_USER environment variable (set by mod_auth_pubtkt
) into an HTTP header that will be transmitted through the proxy.
Hope this will help someone..
<VirtualHost *:80>
ServerName myserver.cshl.edu
TKTAuthPublicKey /path/to/public/key.pem
DocumentRoot /var/www/html
<Location />
Order Allow,Deny
Allow from all
AuthType mod_auth_pubtkt
TKTAuthLoginURL https://login.server.cshl.edu/
TKTAuthTimeoutURL https://login.server.cshl.edu/?timeout=1
TKTAuthUnauthURL https://login.server.cshl.edu/?unauth=1
# alternatively:
# require valid-user
require user [email protected]
# Add the HTTP header "REMOTE_USER", based on "mod_auth_pubtkt"
# REMOTE_USER environment variable.
# (will be transmitted to be RewriteRule Proxy below.)
RequestHeader set REMOTE_USER %{REMOTE_USER}e
</Location>
RewriteEngine on
RewriteRule ^(.*) http://localhost:8080$1 [P]
</VirtualHost>
Without the RequestHeader
, the proxy will not get the authenticated username, even though it did authenticate successfully through mod_auth_pubtkt
.
-gordon
the command line generated to compile is:
/usr/share/apr/build/libtool --silent --mode=compile x86_64-pc-linux-gnu-gcc -prefer-pic -march=core2 -msse4 -mcx16 -mpopcnt -msahf -O2 -pipe -fomit-frame-pointer -DLINUX -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/apache2 -I/usr/include/apr-1 -l/usr/include/apr-1 -I/usr/include/db5.3 -g -O2 -I/usr/include/apache2 -DAPACHE24 -std=c99 -fms-extensions -c -o mod_auth_pubtkt.lo mod_auth_pubtkt.c && touch mod_auth_pubtkt.slo
I have to add #include "../config.h"
to mod_auth_pubtkt.c in order to compile
I am using VirtualDocumentRoots in my Apache setup: http://httpd.apache.org/docs/2.2/vhosts/mass.html
Is it possible to create a unique TKTAuthToken for each Virtual Host?
For example:
foo.example.com -> /home/sites/foo - accessible by users with "foo" token
bar.example.com -> /home/sites/bar - accessible by users with "bar" token
Here is my conf:
<VirtualHost *:80>
ServerAlias *.example.com
VirtualDocumentRoot "/home/sites/%1/
TKTAuthPublicKey /home/private/tkt_pubkey_dsa.pem
</VirtualHost>
<Directory "/home/sites/*">
Order allow,deny
AuthType mod_auth_pubtkt
TKTAuthLoginURL http://login.example.com/
TKTAuthTimeoutURL https://login.example.com/?timeout=1
TKTAuthUnauthURL https://login.example.com/?unauth=1
TKTAuthToken "?" - Unique for each site
require valid-users
</Directory>
Hi,
We should consider adding support for elliptic curves to sign and verify session tickets to the Apache module.
For the record, I'm currently working on the upgrade of the PHP login portal utility, since it isn't compatible with PHP 7.3+ (because of the disappearance of mcrypt. I've used openssl's builtins to make a replacement), and the code I've done is already compatible with EC keys.
Kind regards,
The pubtkt_generate function sometimes results in an invalid signature (tested on php 7.2.7 on docker).
The cause for this is this line:
$sig = fread($pipes[1], 8192);
That should be replace with:
$sig = '';
while (!feof($pipes[1]))
$sig = .= fread($pipes[1], 8192);
This has probably something to do with warning nr. 3 in the php manual for fread (http://php.net/manual/en/function.fread.php).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.