mod-auth-external - Project Hosting on Google Code

Code license:	Apache License 2.0
Labels:	Linux, Unix, Apache, Password, Authentication, Web, Module, External

Show all Featured downloads:
mod_auth_external-2.1.19.tar.gz mod_auth_external-2.2.11.tar.gz mod_authnz_external-3.2.5.tar.gz mod_authz_unixgroup-1.0.2.tar.gz

Feeds:	Project feeds
Groups:	mailing list

People details

Project owners:
	j...@unixpapa.com

mod_authnz_external and mod_auth_external

Current Maintainer: Jan Wolter (E-Mail)
Previous Maintainer: Tyler Allison (allison@nas.nasa.gov)
Original Author: Nathan Neulinger (nneul@umr.edu)

Mod_authnz_external and mod_auth_external are flexible tools for building custom basic authentication systems for the Apache HTTP Daemon. "Basic Authentication" is a type of authentication built into the HTTP protocol, in which the browser automatically pops up a login box when the user requests a protected resource, and the login ids and passwords entered are checked by Apache. Mod_auth*_external allows the password checking normally done inside Apache to be done by an separate external program running outside of Apache. This is useful in either of two situations:

Rapid, Safe Deployment of Custom Authentication Systems. Standard authentication modules with names like mod_auth_file and mod_auth_ldap exist for most common forms of password database, but occasionally you will need to authenticate out of some database for which no appropriate module exists. Writing custom authentication modules is difficult, requiring a lot of knowledge of the internals of Apache, and bugs in such modules can crash Apache. But with mod_auth*_external the custom code can be in a separate program, possibly even a Perl or PHP script. The interface is very simple, and bugs in the authenticator program can not possibly crash Apache.

Authentication out of Secure Databases. It is often undesirable for a password database to be readable by Apache. If it is readable by Apache, then it is possible that bugs in Apache or in any CGI program run by Apache could allow hackers to access the password database. With mod_auth*_external the external authenticator can be configured as a setuid program, so that it runs as a different user than Apache, and so can access databases that are not accessible to Apache. Since only the small, simple authenticator program has the privileges to access the database, instead of all of Apache, this is vastly easier to make secure.

One of the most common secure databases that people want to authenticate out of is the Unix system password database. The open source pwauth program is a mod_auth*_external compatible authenticator that can do this. It can also authenticate from any PAM authentication source.

The obvious disadvantage of using mod_auth*_external is that each authentication requires that the authentication program be loaded and launched. This causes some extra computational overhead. Some hooks have been inserted into mod_auth*_external to make it easy to replace the call to an external authenticators with a call to a hardcoded internal authentication subroutine that you write. This is sort of a half-way measure to just writing your own Apache module from scratch, allowing you to easily borrow some of the logic from mod_auth*_external, but you clearly lose the advantages of external authentication listed above.

Mod_auth*_external can also be used to run external programs to make access control checks. Access control means checking if a user is in a group allowed to access a particular resource. It occurs after a user has been authenticated, by mod_auth*_external or by another module.

The 3.1.x and 3.2.x versions of mod_authnz_external are designed for Apache 2.2. The addition of nz to the module name reflects the fact that the module has been redesigned to fit into the new authentication architecture introduced by Apache, in which top level authentication modules named mod_auth_basic and mod_auth_digest call lower level modules with names like mod_authn_file and mod_authn_dbm.