diff -Nru libapache2-mod-authnz-external-3.2.4/AUTHENTICATORS libapache2-mod-authnz-external-3.3.1/AUTHENTICATORS --- libapache2-mod-authnz-external-3.2.4/AUTHENTICATORS 2009-05-21 02:24:25.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/AUTHENTICATORS 2011-10-05 14:47:33.000000000 +0000 @@ -1,6 +1,6 @@ How To Implementation External Authentication Programs for mod_authnz_external or mod_auth_external - Version 3.2.0 + Version 3.3.x LANGUAGES diff -Nru libapache2-mod-authnz-external-3.2.4/CHANGES libapache2-mod-authnz-external-3.3.1/CHANGES --- libapache2-mod-authnz-external-3.2.4/CHANGES 2009-05-21 02:24:25.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/CHANGES 2011-10-12 14:49:23.000000000 +0000 @@ -1,3 +1,37 @@ +v3.3.1 (Jan Wolter - Oct 12, 2012) +---------------------------------------------- + * Deleted most of the sample authenticators from the distribution. They + are mostly old and crufty or available elsewhere. No need to clutter + the main distribution with them. + * Added code to support caching authentications with mod_authn_socache. + This is enabled by the "AuthExternalProvideCache On" directive. This + feature should be considered experimental, since mod_authn_socache still + seems buggy and it's interface may not have been finalized. + +v3.3.0 (Jan Wolter - Oct 6, 2011) +---------------------------------------------- + * Revised to work with Apache 2.3 / 2.4. Will not work with previous Apache + versions. + * Deleted 'GroupExternalAuthoritative' and 'AuthzExternalAuthoritative' + directives which are obsolete. + * Deleted 'GroupExternalError' directive which is superceded by Apache's + 'AuthzSendForbiddenOnFailure' directive. + +v3.2.6 (Jan Wolter - Oct 6, 2011) +----------------------------------------------- + * Modified parsing of "Require groups" line so that you can have group + names that include spaces by enclosing them in quotes. This change + suggested by David Homborg. + * Default action of Makefile changed to "build" not "install". + * Corrected an exploitable SQL injection flaw in the sample mysql + authenticator. + * Add references to version 3.3.x to documentation. + +v3.2.5 (Jan Wolter - Oct 29, 2009) +----------------------------------------------- + * Fixed a bug introduced in 3.2.0 in which data for checkpassword-type + authenticators is written to the authenticator's stdin instead of stderr. + v3.2.4 (Jan Wolter - May 20, 2009) ----------------------------------------------- * Dropped the radius code from the distribution, because of possible problems diff -Nru libapache2-mod-authnz-external-3.2.4/INSTALL libapache2-mod-authnz-external-3.3.1/INSTALL --- libapache2-mod-authnz-external-3.2.4/INSTALL 2009-05-21 02:24:25.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/INSTALL 2011-10-07 19:15:37.000000000 +0000 @@ -1,5 +1,5 @@ How To Install mod_authnz_external.c - Version 3.2.2 + Version 3.3.x NOTES: @@ -7,13 +7,14 @@ in the INSTALL.HARDCODE file in this directory before following these instructions. - * These instructions are for Apache version 2.2. This version of + * These instructions are for Apache version 2.4. This version of mod_authnz_external will not work with older versions of Apache. Other versions are available for different releases of Apache: Apache 1.3 mod_auth_external-2.1.x Apache 2.0 mod_auth_external-2.2.x Apache 2.2 mod_authnz_external-3.1.x or mod_authnz_external-3.2.x + Apache 2.4 mod_authnz_external-3.3.x You can check your apache version by running it from the command line with the -v flag. @@ -437,7 +438,7 @@ AuthBasicProvider external AuthExternal GroupExternal - Require group ... + Require external-group ... Here matches a name you defined with with the DefineExternalGroup or AddExternalGroup command in step 2. @@ -451,17 +452,82 @@ GroupExternalManyAtOnce off + If you have GroupExternalManyAtOnce turned off, then you can have + spaces in your group names by enclosing the names in quote marks. + If it is on, then all parsing of the group name list is up to your + authenticator. + If, instead of listing group names, you want to allow access only to users whose group name (as determined by whatever group database your external group checker uses) matches the unix group name that owns the file being accessed, you can configure an external group checker and then install mod_authz_owner and do: - Require file-group + Require external-file-group The GroupExternal cannot (yet?) be used with multiple external authenticators. + * USE WITH MOD_AUTHN_SOCACHE + + Mod_authnz_external version 3.3.1 and later can be used with the + Apache mod_authn_socache module, which caches authentications. If + you do this, then after a successful authentication, mod_socache + will remember the user for a settable time (5 minutes by default) + and not rerun the external authenticator again to check their password + until after the timeout. This can be a very substantial performance + improvement. + + It can also be a very substantial security problem. One common use of + mod_authnz_external is to authenticate from databases that are not readable + by Apache, and should not be. For example, if you are authenticating out + of the a unix password file with pwauth, you don't want make the password + file readable to Apache because then an Apache bug would risk exposing + your entire password file to the net. But if you turn on caching with + mod_authn_socache, then the cache it builds up is essentially an + Apache-readable copy of the most sensitive data from your password file. + With some settings, it may even be stored on disk rather than on memory. + The only good thing you can say for it is that all the passwords in that + cache will be encrypted (even if you are dopey enough not to encrypt them + in your actual password database). But encryption is a pretty weak + defense all by itself. + + So using mod_authnz_external with mod_authn_socache might be dumb, but, + what the heck, when have we passed up a chance to give you more rope to + hang yourself with? + + One note: normally when you use mod_authn_socache with one of the standard + Apache modules, a cache entry is created everytime it looks up a user's + password in the database, even if the password they submitted wasn't + the correct one. With mod_authnz_external it only happens after + successful authentications. That's because mod_authnz_external doesn't + have direct access to the password database. After a successful + authentication we can fake-up something that looks to mod_authn_socache + like some credentials out of a database by simple encrypting the password + that the user sent us and pretending we got that out of a database. This + means we don't get quite the performance gains that mod_authn_socache + would give with something like mod_authn_dbd, but we get pretty close. + + So here's how you do it. First you AuthBasicProvider statement should + list both 'socache' and 'external', and it's important that 'socache' + should be listed first, so that it tries to look up users in the cache + before mod_authnz_external runs the authenticator: + + AuthBasicProvider socache external + + Then you need to tell mod_authnz_external to start forging credentials + for mod_authn_socache: + + AuthExternalProvideCache On + + And you need to tell mod_authn_socache to accept credentials from + mod_authnz_external: + + AuthnCacheProvideFor external + + And that should do it. You should see many fewer runs of the external + authenticator, and perhaps a slight decline in your overall security. + * PASSING CONTEXT INFORMATION INTO AUTHENTICATORS: If you want the authentication to work slightly differently in @@ -475,58 +541,30 @@ * MODIFYING ERROR CODES FOR GROUP CHECKING: - Normally, if a group authentication fails, then mod_authnz_external - will return a 401 error, which will normally cause the browser to - pop up a fresh login box so the user can try logging in with a different - ID. This may not always be appropriate. If you rejected him because he - has a blocked IP address, returning a 403 error, which displays an error - page (which you can configure) may be a better choice. To get a - 403 error instead of a 401 error on failed group access checks, you - would add the following command to your configuration: - - GroupExternalError 403 - - This would effect only group checks, never password checks. Bad - passwords always result in a 401 error. + Normally, if a group authentication fails, then apache will return a + 401 error, which will normally cause the browser to pop up a fresh + login box so the user can try logging in with a different ID. This + may not always be appropriate. If you rejected him because he has a + blocked IP address, returning a 403 error, which displays an error + page (which you can configure) may be a better choice than asking him + to endlessly try new logins and passwords. + + Previous versions of mod_authnz_external had a 'GroupExternalError' + directive that allowed you to change this. This no longer exists + Under Apache 2.4 you can control the return code using the + 'AuthzSendForbiddenOnFailure' directive. * INTERACTIONS WITH OTHER AUTHENTICATORS: - It is possible to configure more than one different authentication - module. If you do so, you will normally want to make them - unauthoritative, so that if one fails, the others will be tried. - That way, authentication or access will be granted if ANY of the - the configured modules finds it valid. - - If all your password checkers are "authn" modules running under - mod_auth_basic, then you need do nothing. The arbitration among - such modules is different than the arbitration between top level - modules, and does the right thing by default. But if some are not - "authn" modules, then you'll want to make mod_auth basic - unauthoritative with the "AuthBasicAuthoritative off" directive - described in the Apache manual. - - If you have multiple group checkers, then you will need to make - mod_authnz_external un-authoritative for group checking. To do - this, use the directive: - - GroupExternalAuthoritative off - - Of course, you'll probably also have to make the other module - unauthoritative. For example, if you have a "Require user pete" - directive and a "Require group admin" directive and expect it to - allow either pete or any admin to login, then you need to make - mod_authz_user unauthoritative, because that's what checks - "Require user" directives. - - See the Apache manual pages on AuthType, AuthName, AuthBasicProvider, - Require, and AuthGroupFile for more information. - + Previous versions of mod_authnz_external had 'GroupExternalAuthoritative' + directive. In Apache 2.4, the notion of authoritativeness is + thankfully almost entirely gone, so this directive is too. + * OLD DIRECTIVES Some of the directives mentioned above used to have different names. - The old names still work for backward compatibility. + One old name still works for backward compatibility. - AuthzExternalAuthoritative equals GroupExternalAuthoritative AuthExternalGroupsAtOnce equals GroupExternalManyAtOnce (4) Install the Authenticator diff -Nru libapache2-mod-authnz-external-3.2.4/Makefile libapache2-mod-authnz-external-3.3.1/Makefile --- libapache2-mod-authnz-external-3.2.4/Makefile 2009-05-21 02:24:25.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/Makefile 2011-10-12 14:53:38.000000000 +0000 @@ -3,15 +3,17 @@ APXS=apxs TAR= README INSTALL INSTALL.HARDCODE CHANGES AUTHENTICATORS UPGRADE TODO \ - mod_authnz_external.c mysql/* pwauth/* radius/* sybase/* test/* \ - Makefile + mod_authnz_external.c test/* Makefile + +.DEFAULT_GOAL:= build +.PHONY: install build clean install: mod_authnz_external.la $(APXS) -i -a mod_authnz_external.la build: mod_authnz_external.la -mod_authnz_external.la: +mod_authnz_external.la: mod_authnz_external.c $(APXS) -c mod_authnz_external.c clean: diff -Nru libapache2-mod-authnz-external-3.2.4/README libapache2-mod-authnz-external-3.3.1/README --- libapache2-mod-authnz-external-3.2.4/README 2009-05-21 02:24:25.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/README 2011-10-12 14:33:18.000000000 +0000 @@ -1,4 +1,4 @@ - Mod_Authnz_External version 3.2.4 + Mod_Authnz_External version 3.3.x Original Coder: Nathan Neulinger Previous Maintainer: Tyler Allison @@ -18,10 +18,14 @@ Versions: --------- -Mod_authnz_external version 3.2.x is designed for use with Apache version -2.2.x. It will not work with Apache 2.0. If you have an older version of -Apache, use instead either mod_auth_external-2.1.x for Apache 1.3, or -mod_auth_external-2.2.x for Apache 2.2. +Mod_authnz_external version 3.3.x is designed for use with Apache version +2.4.x. It will not work with Apache 2.2 or 2.0. For older versions of +Apache you will need older branches of mod_authnz_external: + + Apache 1.3 mod_auth_external-2.1.x + Apache 2.0 mod_auth_external-2.2.x + Apache 2.2 mod_authnz_external-3.1.x or mod_authnz_external-3.2.x + Apache 2.4 mod_authnz_external-3.3.x This module was developed from "mod_auth_external". It has been restructured to fit into the authn/authz structure introduce in Apache 2.1. It can be used @@ -175,8 +179,8 @@ we could possibly list. See the file AUTHENTICATORS for more information on implementing authenticators. -Example External Authentication Routines in this Distribution: --------------------------------------------------------------- +Example Authentication Routines in this Distribution: +----------------------------------------------------- test/ Several small dummy external authentication programs written in Perl. @@ -184,39 +188,44 @@ any user whose password and login name are identical. They write lots of debugging info to the error_log file. - Author and Maintainer: Jan Wolter + Author and Maintainer: Jan Wolter http://unixpapa.com/ - mysql/ +Example Authentication Routines Formerly Included in this Distribution: +----------------------------------------------------------------------- +In the interest of cleaning up the distribution, several other examples +that were formerly distributed with this module are now only available +separately. + + pwauth + A C program for authenticating out of unix shadow password files or + PAM. + + Author and Maintainer: Jan Wolter http://unixpapa.com/ + Available from: http://code.google.com/p/pwauth/ + + MYSQL-auth A Perl program for authenticating out of a MySQL database. This is written in Perl using the DBI interface, so it could be trivially adapted to work with any other SQL database server that has a DBI interface (that is to say all of them). Author and Maintainer: Anders Nordby - http://anders.fix.no/software/#unix + Available From: http://anders.fix.no/software/#unix + + sybase-internal-auth + An example of a hardcoded internal authentication function for use with + mod_auth_external or mod_authnz_external. It's designed for doing + authentication out of a sybase database, which these days would be better + done using mod_authn_dbd. + + Author: + Available From: http://code.google.com/p/mod-auth-external/downloads + + mae-radius + Another example or a hardcoded internal authentication function. + This does radius authentication. It may not be fully open source. -The "pwauth" authenticator for unix shadow password files or PAM which -was previously included in this distribution is now in a separate package, -available from http://www.unixpapa.com/pwauth/. - -Example Hardcoded Internal Authentication Routines in this Distribution: ------------------------------------------------------------------------- - - sybase/ - A function that queries a sybase database and compares the passwords - for said user. - - Author: - Unmaintained. - -The radius client previously distributed with mod_auth_external has been -removed from the distribution because of possible license problems. Get it -from http://unixpapa.com/software/mae_radius.tar.gz if you want it, but -mod_auth_radius is a better choice. - -If you have programs or functions you have coded and would like to add them -to the examples collection on the next release please email them to -jan@unixpapa.com and include a short description. + Available From: http://unixpapa.com/software/mae_radius.tar.gz Checkpassword Authenticators ---------------------------- diff -Nru libapache2-mod-authnz-external-3.2.4/UPGRADE libapache2-mod-authnz-external-3.3.1/UPGRADE --- libapache2-mod-authnz-external-3.2.4/UPGRADE 2009-05-21 02:24:25.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/UPGRADE 2011-10-06 14:11:14.000000000 +0000 @@ -49,8 +49,8 @@ AuthExternalAuthoritative off - This command will no longer work. Instead you should use one or both - of the following commands: + This command will no longer work. If upgrading to Apache 2.2, you + should use one or both of the following commands: AuthBasicAuthoritative off GroupExternalAuthoritative off @@ -66,6 +66,9 @@ group checker was given a chance to decide if the user was in that group based on it's group database. + In Apache 2.4, all of this is handled quite differently. I need to + document this. + (6) If you were using multiple Require directives, the behavior may change under Apache 2.2. Suppose you wanted to allow access to user "pete" and members of the group "admins". You might have do: @@ -85,6 +88,9 @@ GroupUserAuthoritative off + Again, in Apache 2.4, all of this is handled quite differently, and this + document needs updating. + (7) Note that a new type of functionality is available under Apache 2.2 with mod_authnz_external. Thanks to mod_authz_owner, you can now do: @@ -103,3 +109,7 @@ being used for http authentication, but for people using 'pwauth' with mod_authnz_external, these really check if the user has been authenticated as the unix user who owns the file. + + In Apache 2.4, this is the same, except the latter of the two becomes: + + Require external-file-group diff -Nru libapache2-mod-authnz-external-3.2.4/debian/changelog libapache2-mod-authnz-external-3.3.1/debian/changelog --- libapache2-mod-authnz-external-3.2.4/debian/changelog 2013-07-18 09:36:23.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/debian/changelog 2013-07-10 21:10:01.000000000 +0000 @@ -1,3 +1,12 @@ +libapache2-mod-authnz-external (3.3.1-0.1) unstable; urgency=low + + * Non-maintainer upload. + * New upstream release, suitable for Apache 2.4 (closes: #633638). + * Port packaging to Apache 2.4 (closes: #666815). + * Update debian/watch. + + -- Colin Watson Wed, 10 Jul 2013 22:04:38 +0100 + libapache2-mod-authnz-external (3.2.4-2.1) unstable; urgency=high * Non-maintainer upload by the security team diff -Nru libapache2-mod-authnz-external-3.2.4/debian/control libapache2-mod-authnz-external-3.3.1/debian/control --- libapache2-mod-authnz-external-3.2.4/debian/control 2013-07-18 09:36:23.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/debian/control 2013-07-09 16:51:49.000000000 +0000 @@ -2,13 +2,13 @@ Section: web Priority: optional Maintainer: Hai Zaar -Build-Depends: debhelper (>= 7), apache2-threaded-dev (>= 2.2.0) +Build-Depends: debhelper (>= 7), dh-apache2, apache2-dev (>= 2.4.0) Standards-Version: 3.8.2 Homepage: http://code.google.com/p/mod-auth-external Package: libapache2-mod-authnz-external Architecture: any -Depends: ${shlibs:Depends}, apache2.2-common +Depends: ${shlibs:Depends}, ${misc:Depends} Recommends: pwauth Description: authenticate Apache against external authentication services Mod_Auth_External can be used to quickly construct secure, reliable diff -Nru libapache2-mod-authnz-external-3.2.4/debian/libapache2-mod-authnz-external.apache2 libapache2-mod-authnz-external-3.3.1/debian/libapache2-mod-authnz-external.apache2 --- libapache2-mod-authnz-external-3.2.4/debian/libapache2-mod-authnz-external.apache2 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/debian/libapache2-mod-authnz-external.apache2 2013-07-09 16:14:08.000000000 +0000 @@ -0,0 +1,2 @@ +mod .libs/mod_authnz_external.so +mod debian/authnz_external.load diff -Nru libapache2-mod-authnz-external-3.2.4/debian/libapache2-mod-authnz-external.dirs libapache2-mod-authnz-external-3.3.1/debian/libapache2-mod-authnz-external.dirs --- libapache2-mod-authnz-external-3.2.4/debian/libapache2-mod-authnz-external.dirs 2013-07-18 09:36:23.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/debian/libapache2-mod-authnz-external.dirs 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -usr/lib/apache2/modules -etc/apache2/mods-available diff -Nru libapache2-mod-authnz-external-3.2.4/debian/libapache2-mod-authnz-external.install libapache2-mod-authnz-external-3.3.1/debian/libapache2-mod-authnz-external.install --- libapache2-mod-authnz-external-3.2.4/debian/libapache2-mod-authnz-external.install 2013-07-18 09:36:23.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/debian/libapache2-mod-authnz-external.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -.libs/mod_authnz_external.so usr/lib/apache2/modules -debian/authnz_external.load etc/apache2/mods-available diff -Nru libapache2-mod-authnz-external-3.2.4/debian/patches/conn-rec-remote-ip.patch libapache2-mod-authnz-external-3.3.1/debian/patches/conn-rec-remote-ip.patch --- libapache2-mod-authnz-external-3.2.4/debian/patches/conn-rec-remote-ip.patch 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/debian/patches/conn-rec-remote-ip.patch 2013-07-09 16:35:49.000000000 +0000 @@ -0,0 +1,20 @@ +Description: Handle conn_rec->remote_ip split in Apache 2.4 +Author: Colin Watson +Forwarded: http://code.google.com/p/mod-auth-external/issues/detail?id=8 +Last-Update: 2013-07-09 + +Index: b/mod_authnz_external.c +=================================================================== +--- a/mod_authnz_external.c ++++ b/mod_authnz_external.c +@@ -443,8 +443,8 @@ + if (remote_host != NULL) + child_env[i++]= apr_pstrcat(p, ENV_HOST"=", remote_host,NULL); + +- if (c->remote_ip) +- child_env[i++]= apr_pstrcat(p, ENV_IP"=", c->remote_ip, NULL); ++ if (r->useragent_ip) ++ child_env[i++]= apr_pstrcat(p, ENV_IP"=", r->useragent_ip, NULL); + + if (r->uri) + child_env[i++]= apr_pstrcat(p, ENV_URI"=", r->uri, NULL); diff -Nru libapache2-mod-authnz-external-3.2.4/debian/patches/series libapache2-mod-authnz-external-3.3.1/debian/patches/series --- libapache2-mod-authnz-external-3.2.4/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/debian/patches/series 2013-07-09 16:29:28.000000000 +0000 @@ -0,0 +1 @@ +conn-rec-remote-ip.patch diff -Nru libapache2-mod-authnz-external-3.2.4/debian/rules libapache2-mod-authnz-external-3.3.1/debian/rules --- libapache2-mod-authnz-external-3.2.4/debian/rules 2013-07-18 09:36:23.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/debian/rules 2013-07-09 16:14:32.000000000 +0000 @@ -49,6 +49,7 @@ dh_installdocs dh_installexamples dh_install + dh_apache2 # dh_installmenu # dh_installdebconf # dh_installlogrotate diff -Nru libapache2-mod-authnz-external-3.2.4/debian/source/format libapache2-mod-authnz-external-3.3.1/debian/source/format --- libapache2-mod-authnz-external-3.2.4/debian/source/format 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/debian/source/format 2013-07-18 09:36:23.746466175 +0000 @@ -0,0 +1 @@ +3.0 (quilt) diff -Nru libapache2-mod-authnz-external-3.2.4/debian/watch libapache2-mod-authnz-external-3.3.1/debian/watch --- libapache2-mod-authnz-external-3.2.4/debian/watch 2013-07-18 09:36:23.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/debian/watch 2013-07-09 16:22:03.000000000 +0000 @@ -9,7 +9,7 @@ # Uncomment to examine a Webpage # #http://www.example.com/downloads.php #PACKAGE#-(.*)\.tar\.gz -http://code.google.com/p/mod-auth-external/downloads/list http://mod-auth-external.googlecode.com/files/mod_authnz_external-(.*)\.tar\.gz +http://code.google.com/p/mod-auth-external/downloads/list?can=1 .*/mod_authnz_external-(\d[\d.]*)\.tar\.gz # Uncomment to examine a Webserver directory #http://www.example.com/pub/#PACKAGE#-(.*)\.tar\.gz diff -Nru libapache2-mod-authnz-external-3.2.4/mod_authnz_external.c libapache2-mod-authnz-external-3.3.1/mod_authnz_external.c --- libapache2-mod-authnz-external-3.2.4/mod_authnz_external.c 2009-05-21 02:24:25.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/mod_authnz_external.c 2011-10-07 18:43:34.000000000 +0000 @@ -71,6 +71,7 @@ #define APR_WANT_STRFUNC #include "apr_want.h" #include "apr_strings.h" +#include "apr_sha1.h" #include "httpd.h" #include "http_config.h" @@ -119,9 +120,8 @@ apr_array_header_t *auth_name; /* Auth keyword for current dir */ char *group_name; /* Group keyword for current dir */ char *context; /* Context string from AuthExternalContext */ - int authoritative; /* Are we authoritative in current dir? */ - int groupsatonce; /* Check all groups in one call in this dir? */ - char *grouperror; /* What to return if group auth fails */ + int groupsatonce; /* Check all groups in one call? */ + int providecache; /* Provide auth data to mod_authn_socache? */ } authnz_external_dir_config_rec; @@ -137,28 +137,32 @@ } authnz_external_svr_config_rec; -/* - * Creators for per-dir and server configurations. These are called +/* mod_authz_owner's function for retrieving the requested file's group */ +APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r)); +APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group; + +/* mod_authn_socache's function for adding credentials to its cache */ +static APR_OPTIONAL_FN_TYPE(ap_authn_cache_store) *authn_cache_store = NULL; + + +/* Creators for per-dir and server configurations. These are called * via the hooks in the module declaration to allocate and initialize * the per-directory and per-server configuration data structures declared - * above. - */ + * above. */ static void *create_authnz_external_dir_config(apr_pool_t *p, char *d) { authnz_external_dir_config_rec *dir= (authnz_external_dir_config_rec *) apr_palloc(p, sizeof(authnz_external_dir_config_rec)); - dir->auth_name= apr_array_make(p,2,sizeof(const char *)); /* no default */ + dir->auth_name= apr_array_make(p,2,sizeof(const char *)); /* no default */ dir->group_name= NULL; /* no default */ dir->context= NULL; /* no default */ - dir->authoritative= 1; /* strong by default */ dir->groupsatonce= 1; /* default to on */ - dir->grouperror= NULL; /* default to 401 */ + dir->providecache= 0; /* default to off */ return dir; } - static void *create_authnz_external_svr_config( apr_pool_t *p, server_rec *s) { authnz_external_svr_config_rec *svr= (authnz_external_svr_config_rec *) @@ -173,10 +177,7 @@ return (void *)svr; } -/* - * Handler for a DefineExternalAuth server config line - */ - +/* Handler for a DefineExternalAuth server config line */ static const char *def_extauth(cmd_parms *cmd, void *dummy, const char *keyword, const char *method, const char *path) { @@ -191,10 +192,7 @@ } -/* - * Handler for a DefineExternalGroup server config line - */ - +/* Handler for a DefineExternalGroup server config line */ static const char *def_extgroup(cmd_parms *cmd, void *dummy, const char *keyword, const char *method, const char *path) { @@ -210,11 +208,8 @@ -/* - * Handler for a AddExternalAuth server config line - add a external auth - * type to the server configuration - */ - +/* Handler for a AddExternalAuth server config line - add a external auth + * type to the server configuration */ static const char *add_extauth(cmd_parms *cmd, void *dummy, const char *keyword, const char *path) { @@ -229,11 +224,8 @@ } -/* - * Handler for a AddExternalGroup server config line - add a external group - * type to the server configuration - */ - +/* Handler for a AddExternalGroup server config line - add a external group + * type to the server configuration */ static const char *add_extgroup(cmd_parms *cmd, void *dummy, const char *keyword, const char *path) { @@ -247,13 +239,10 @@ return NULL; } -/* - * Handler for a SetExternalAuthMethod server config line - change an external - * auth method in the server configuration - */ - +/* Handler for a SetExternalAuthMethod server config line - change an external + * auth method in the server configuration */ static const char *set_authnz_external_method(cmd_parms *cmd, void *dummy, - const char *keyword, const char *method) + const char *keyword, const char *method) { authnz_external_svr_config_rec *svr= (authnz_external_svr_config_rec *) ap_get_module_config( cmd->server->module_config, @@ -265,13 +254,10 @@ } -/* - * Handler for a SetExternalGroupMethod server config line - change an external - * group method in the server configuration - */ - +/* Handler for a SetExternalGroupMethod server config line - change an external + * group method in the server configuration */ static const char *set_extgroup_method(cmd_parms *cmd, void *dummy, - const char *keyword, const char *method) + const char *keyword, const char *method) { authnz_external_svr_config_rec *svr= (authnz_external_svr_config_rec *) ap_get_module_config( cmd->server->module_config, @@ -296,10 +282,7 @@ } -/* - * Config file commands that this module can handle - */ - +/* Config file directives for this module */ static const command_rec authnz_external_cmds[] = { AP_INIT_ITERATE("AuthExternal", @@ -350,19 +333,6 @@ RSRC_CONF, "a keyword followed by the method by which the data is passed"), - AP_INIT_FLAG("GroupExternalAuthoritative", - ap_set_flag_slot, - (void *)APR_OFFSETOF(authnz_external_dir_config_rec, authoritative), - OR_AUTHCFG, - "Set to 'off' to allow access control to be passed along to lower " - "modules if this module can't confirm access rights" ), - - AP_INIT_FLAG("AuthzExternalAuthoritative", - ap_set_flag_slot, - (void *)APR_OFFSETOF(authnz_external_dir_config_rec, authoritative), - OR_AUTHCFG, - "Old version of 'GroupExternalAuthoritative'" ), - AP_INIT_TAKE1("AuthExternalContext", ap_set_string_slot, (void *)APR_OFFSETOF(authnz_external_dir_config_rec, context), @@ -370,11 +340,11 @@ "An arbitrary context string to pass to the authenticator in the " ENV_CONTEXT " environment variable"), - AP_INIT_TAKE1("GroupExternalError", - ap_set_string_slot, - (void *)APR_OFFSETOF(authnz_external_dir_config_rec, grouperror), + AP_INIT_FLAG("AuthExternalProvideCache", + ap_set_flag_slot, + (void *)APR_OFFSETOF(authnz_external_dir_config_rec, providecache), OR_AUTHCFG, - "HTTP error code to return when group authentication fails"), + "Should we forge authentication credentials for mod_authn_socache?"), AP_INIT_FLAG("GroupExternalManyAtOnce", ap_set_flag_slot, @@ -394,9 +364,7 @@ /* Called from apr_proc_create() if there are errors during launch of child - * process. Mostly just lifted from mod_cgi. - */ - + * process. Mostly just lifted from mod_cgi. */ static void extchilderr(apr_pool_t *p, apr_status_t err, const char *desc) { apr_file_t *stderr_log; @@ -407,8 +375,7 @@ } -/* - * Run an external authentication program using the given method for passing +/* Run an external authentication program using the given method for passing * in the data. The login name is always passed in. Dataname is "GROUP" or * "PASS" and data is the group list or password being checked. To launch * a detached daemon, run this with extmethod=NULL. @@ -424,7 +391,6 @@ * -4 apr_proc_wait() did not return a status code. Should never happen. * -5 apr_proc_wait() returned before child finished. Should never happen. */ - static int exec_external(const char *extpath, const char *extmethod, const request_rec *r, const char *dataname, const char *data) { @@ -514,9 +480,10 @@ /* should we create pipes to stdin, stdout and stderr? */ ((rc= apr_procattr_io_set(procattr, - usepipein ? APR_FULL_BLOCK : APR_NO_PIPE, + (usepipein && !usecheck) ? APR_FULL_BLOCK : APR_NO_PIPE, usepipeout ? APR_FULL_BLOCK : APR_NO_PIPE, - APR_NO_PIPE)) != APR_SUCCESS) || + (usepipein && usecheck) ? APR_FULL_BLOCK : APR_NO_PIPE)) + != APR_SUCCESS ) || /* will give full path of program and make a new environment */ ((rc= apr_procattr_cmdtype_set(procattr, @@ -557,19 +524,22 @@ if (usepipein) { + /* Select appropriate pipe to write to */ + apr_file_t *pipe= (usecheck ? proc.err : proc.in); + /* Send the user */ - apr_file_write_full(proc.in, r->user, strlen(r->user), NULL); - apr_file_putc(usecheck ? '\0' : '\n', proc.in); + apr_file_write_full(pipe, r->user, strlen(r->user), NULL); + apr_file_putc(usecheck ? '\0' : '\n', pipe); /* Send the password */ - apr_file_write_full(proc.in, data, strlen(data), NULL); - apr_file_putc(usecheck ? '\0' : '\n', proc.in); + apr_file_write_full(pipe, data, strlen(data), NULL); + apr_file_putc(usecheck ? '\0' : '\n', pipe); /* Send dummy timestamp for checkpassword */ - if (usecheck) apr_file_write_full(proc.in, "0", 2, NULL); + if (usecheck) apr_file_write_full(pipe, "0", 2, NULL); /* Close the file */ - apr_file_close(proc.in); + apr_file_close(pipe); } /* Wait for the child process to terminate, and get status */ @@ -600,7 +570,6 @@ * into this source file, as well as inserting a call to them into this * routine. */ - static int exec_hardcode(const request_rec *r, const char *extpath, const char *password) { @@ -640,7 +609,10 @@ } -static int authz_external_check_user_access(request_rec *r) +/* Handle a group check triggered by a 'Require external-group foo bar baz' + * directive. */ +static authz_status externalgroup_check_authorization(request_rec *r, + const char *require_args, const void *parsed_require_args) { authnz_external_dir_config_rec *dir= (authnz_external_dir_config_rec *) ap_get_module_config(r->per_dir_config, &authnz_external_module); @@ -648,108 +620,137 @@ authnz_external_svr_config_rec *svr= (authnz_external_svr_config_rec *) ap_get_module_config(r->server->module_config, &authnz_external_module); - int code, ret; - int m= r->method_number; - const char *extpath, *extmethod; + char *user= r->user; char *extname= dir->group_name; - int required_group= 0; - register int x; + const char *extpath, *extmethod; const char *t, *w; - const apr_array_header_t *reqs_arr= ap_requires(r); - const char *filegroup= NULL; - require_line *reqs; + int code; - /* If no external authenticator has been configured, pass */ - if ( !extname ) return DECLINED; - - /* If there are no Require arguments, pass */ - if (!reqs_arr) return DECLINED; - reqs= (require_line *)reqs_arr->elts; + /* If no authenticated user, pass */ + if ( !user ) return AUTHZ_DENIED_NO_USER; + /* If no external authenticator has been configured, pass */ + if ( !extname ) return AUTHZ_DENIED; - /* Loop through the "Require" argument list */ - for(x= 0; x < reqs_arr->nelts; x++) + /* Get the path and method associated with that external */ + if (!(extpath= apr_table_get(svr->group_path, extname)) || + !(extmethod= apr_table_get(svr->group_method,extname))) { - if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) continue; - - t= reqs[x].requirement; - w= ap_getword_white(r->pool, &t); + errno= 0; + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "invalid GroupExternal keyword (%s)", extname); + return AUTHZ_DENIED; + } - /* The 'file-group' directive causes mod_authz_owner to store the - * group name of the file we are trying to access in a note attached - * to the request. It's our job to decide if the user actually is - * in that group. If the note is missing, we just decline. - */ - if ( !strcasecmp(w, "file-group")) + if (dir->groupsatonce) + { + /* Pass rest of require line to authenticator */ + code= exec_external(extpath, extmethod, r, ENV_GROUP, require_args); + if (code == 0) return AUTHZ_GRANTED; + } + else + { + /* Call authenticator once for each group name on line */ + t= require_args; + while ((w= ap_getword_conf(r->pool, &t)) && w[0]) { - filegroup= apr_table_get(r->notes, AUTHZ_GROUP_NOTE); - if (filegroup == NULL) continue; + code= exec_external(extpath, extmethod, r, ENV_GROUP, w); + if (code == 0) return AUTHZ_GRANTED; } + } - if( !strcmp(w,"group") || filegroup != NULL) - { - required_group= 1; + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Authorization of user %s to access %s failed. " + "User not in Required group.", + r->user, r->uri); - if (t[0] || filegroup != NULL) - { - /* Get the path and method associated with that external */ - if (!(extpath= apr_table_get(svr->group_path, extname)) || - !(extmethod= apr_table_get(svr->group_method, - extname))) - { - errno= 0; - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "invalid GroupExternal keyword (%s)", extname); - ap_note_basic_auth_failure(r); - return HTTP_INTERNAL_SERVER_ERROR; - } - - if (filegroup != NULL) - { - /* Check if user is in the group that owns the file */ - code= exec_external(extpath, extmethod, r, ENV_GROUP, - filegroup); - if (code == 0) return OK; - } - else if (dir->groupsatonce) - { - /* Pass rest of require line to authenticator */ - code= exec_external(extpath, extmethod, r, ENV_GROUP, t); - if (code == 0) return OK; - } - else - { - /* Call authenticator once for each group name on line */ - do { - w= ap_getword_white(r->pool, &t); - code= exec_external(extpath, - extmethod, r, ENV_GROUP, w); - if (code == 0) return OK; - } while(t[0]); - } - } - } + return AUTHZ_DENIED; +} + + +/* Handle a group check triggered by a 'Require external-file-group' + * directive. */ +static authz_status externalfilegroup_check_authorization(request_rec *r, + const char *require_args, const void *parsed_require_args) +{ + authnz_external_dir_config_rec *dir= (authnz_external_dir_config_rec *) + ap_get_module_config(r->per_dir_config, &authnz_external_module); + + authnz_external_svr_config_rec *svr= (authnz_external_svr_config_rec *) + ap_get_module_config(r->server->module_config, &authnz_external_module); + + char *user= r->user; + char *extname= dir->group_name; + const char *extpath, *extmethod; + const char *filegroup= NULL; + const char *t, *w; + int code; + + /* If no authenticated user, pass */ + if ( !user ) return AUTHZ_DENIED_NO_USER; + + /* If no external authenticator has been configured, pass */ + if ( !extname ) return AUTHZ_DENIED; + + /* Get the path and method associated with that external */ + if (!(extpath= apr_table_get(svr->group_path, extname)) || + !(extmethod= apr_table_get(svr->group_method,extname))) + { + errno= 0; + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "invalid GroupExternal keyword (%s)", extname); + return AUTHZ_DENIED; } - /* If we didn't see a 'require group' or aren't authoritive, decline */ - if (!required_group || !dir->authoritative) - return DECLINED; + /* Get group name for requested file from mod_authz_owner */ + filegroup= authz_owner_get_file_group(r); + + if (!filegroup) + /* No errog log entry, because mod_authz_owner already made one */ + return AUTHZ_DENIED; + + /* Pass the group to the external authenticator */ + code= exec_external(extpath, extmethod, r, ENV_GROUP, filegroup); + if (code == 0) return AUTHZ_GRANTED; ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "access to %s failed, reason: user %s not allowed access (%s)", - r->uri, r->user, dir->grouperror); + "Authorization of user %s to access %s failed. " + "User not in Required file group (%s).", + r->user, r->uri, filegroup); - ap_note_basic_auth_failure(r); + return AUTHZ_DENIED; +} + + +/* Mod_authn_socache wants us to pass it the username and the encrypted + * password from the user database to cache. But we have no access to the + * actual user database - only the external authenticator can see that - + * and chances are, the passwords there aren't encrypted in any way that + * mod_authn_socache would understand anyway. So instead, after successful + * authentications only, we take the user's plain text password, encrypt + * that using an algorithm mod_authn_socache will understand, and cache that + * as if we'd actually gotten it from a password database. + */ +void mock_turtle_cache(request_rec *r, const char *plainpw) +{ + char cryptpw[120]; - return (dir->grouperror && (ret= atoi(dir->grouperror)) > 0) ? ret : - HTTP_UNAUTHORIZED; + /* Authn_cache_store will be null if mod_authn_socache does not exist. + * If it does exist, but is not set up to cache us, then + * authn_cache_store() will do nothing, which is why we turn this off + * with "AuthExternalProvideCache Off" to avoid doing the encryption + * for no reason. */ + if (authn_cache_store != NULL) + { + apr_sha1_base64(plainpw,strlen(plainpw),cryptpw); + authn_cache_store(r, "external", r->user, NULL, cryptpw); + } } /* Password checker for basic authentication - given a login/password, * check if it is valid. Returns one of AUTH_DENIED, AUTH_GRANTED, - * or AUTH_GENERAL_ERROR. - */ + * or AUTH_GENERAL_ERROR. */ static authn_status authn_external_check_password(request_rec *r, const char *user, const char *password) @@ -792,7 +793,11 @@ code= exec_external(extpath, extmethod, r, ENV_PASS, password); /* If return code was zero, authentication succeeded */ - if (code == 0) return AUTH_GRANTED; + if (code == 0) + { + if (dir->providecache) mock_turtle_cache(r, password); + return AUTH_GRANTED; + } /* Log a failed authentication */ errno= 0; @@ -808,7 +813,7 @@ #if 0 /* Password checker for digest authentication - given a login/password, * check if it is valid. Returns one of AUTH_USER_FOUND, AUTH_USER_NOT_FOUND, - * or AUTH_GENERAL_ERROR. Not implemented at this time. + * or AUTH_GENERAL_ERROR. Not implemented at this time and probably not ever. */ auth_status *authn_external_get_realm_hash(request_rec *r, const char *user, @@ -817,29 +822,71 @@ } #endif +/* This is called after all modules have been initialized to acquire pointers + * to some functions from other modules that we would like to use if they are + * available. */ +static void opt_retr(void) +{ + /* Get authn_cache_store from mod_authn_socache */ + authn_cache_store= + APR_RETRIEVE_OPTIONAL_FN(ap_authn_cache_store); + + /* Get authz_owner_get_file_group from mod_authz_owner */ + authz_owner_get_file_group= + APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group); +} +/* This tells mod_auth_basic and mod_auth_digest what to call for + * authentication. */ static const authn_provider authn_external_provider = { &authn_external_check_password, #if 0 &authn_external_get_realm_hash #else - NULL /* No support for digest authentication at this time */ + NULL /* No support for digest authentication */ #endif }; +/* This tells mod_auth_basic and mod_auth_digest what to call for + * access control with 'Require external-group' directives. */ +static const authz_provider authz_externalgroup_provider = +{ + &externalgroup_check_authorization, + NULL, +}; + +/* This tells mod_auth_basic and mod_auth_digest what to call for + * access control with 'Require external-file-group' directives. */ +static const authz_provider authz_externalfilegroup_provider = +{ + &externalfilegroup_check_authorization, + NULL, +}; +/* Register this module with Apache */ static void register_hooks(apr_pool_t *p) { - ap_register_provider(p, AUTHN_PROVIDER_GROUP, "external", "0", - &authn_external_provider); + /* Register authn provider */ + ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, "external", + AUTHN_PROVIDER_VERSION, + &authn_external_provider, AP_AUTH_INTERNAL_PER_CONF); + + /* Register authz providers */ + ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "external-group", + AUTHZ_PROVIDER_VERSION, + &authz_externalgroup_provider, AP_AUTH_INTERNAL_PER_CONF); + + ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "external-file-group", + AUTHZ_PROVIDER_VERSION, + &authz_externalfilegroup_provider, AP_AUTH_INTERNAL_PER_CONF); - ap_hook_auth_checker(authz_external_check_user_access, NULL, NULL, - APR_HOOK_MIDDLE); + /* Ask for opt_retr() to be called after all modules have registered */ + ap_hook_optional_fn_retrieve(opt_retr, NULL, NULL, APR_HOOK_MIDDLE); } -module AP_MODULE_DECLARE_DATA authnz_external_module = { +AP_DECLARE_MODULE(authnz_external) = { STANDARD20_MODULE_STUFF, create_authnz_external_dir_config, /* create per-dir config */ NULL, /* merge per-dir config - dflt is override */ diff -Nru libapache2-mod-authnz-external-3.2.4/mysql/README libapache2-mod-authnz-external-3.3.1/mysql/README --- libapache2-mod-authnz-external-3.2.4/mysql/README 2009-05-21 02:24:24.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/mysql/README 1970-01-01 00:00:00.000000000 +0000 @@ -1,17 +0,0 @@ -The MySQL auth program is by Anders Nordby who maintains it -at http://anders.fix.no/software/#unix - -See the header of the auth-mysql.pl file for the author's notes. - -This require the Perl DBI/DBD libraries for mysql: - http://cpan.valueclick.com/modules/by-category/07_Database_Interfaces/DBI/ - http://cpan.valueclick.com/modules/by-category/07_Database_Interfaces/DBD/ - -Configuration is mostly by editing the definitions at the front of the -mysql-auth.pl. - -In the likely event that your SQL tables have different field names, you'll -also have to edit the SQL query in the call to $dbh->prepare(). - -If you want to use a database server other than MySQL, you'll need the DBD -library for that database and you'll need to change the DBI->connect() call. diff -Nru libapache2-mod-authnz-external-3.2.4/mysql/mysql-auth.pl libapache2-mod-authnz-external-3.3.1/mysql/mysql-auth.pl --- libapache2-mod-authnz-external-3.2.4/mysql/mysql-auth.pl 2013-07-18 09:36:23.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/mysql/mysql-auth.pl 1970-01-01 00:00:00.000000000 +0000 @@ -1,88 +0,0 @@ -#!/usr/bin/perl -Tw -# MySQL-auth version 1.0 -# Anders Nordby , 2002-01-20 -# This script is usable for authenticating users against a MySQL database with -# the Apache module mod_auth_external or mod_authnz_external. See -# http://unixpapa.com/mod_auth_external/ for mod_auth_external. -# -# Updates to this script will be made available on: -# http://anders.fix.no/software/#unix - -my $dbhost="localhost"; -my $dbuser="validator"; -my $dbpw="whatagoodpassword"; -my $dbname="funkydb"; -my $dbport="3306"; -my $mychars="01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_,."; - -# Below this, only the SQL query should be interesting to modify for users. - -use DBI; - -sub validchars -{ - # 0: string 1: valid characters - my $streng = $_[0]; - - my $ok = 1; - my $i = 0; - while ($ok && $i < length($_[0])) { - if (index($_[1], substr($_[0],$i,1)) == -1) { - $ok = 0; - } - $i++; - } - return($ok); -} - -# Get the name of this program -$prog= join ' ',$0,@ARGV; -$logprefix='[' . scalar localtime . '] ' . $prog; - -# Get the user name -$user= ; -chomp $user; - -# Get the password name -$pass= ; -chomp $pass; - -# check for valid characters -if (!validchars($user, $mychars) || !validchars($pass, $mychars)) { - print STDERR "$logprefix: invalid characters used in login/password - Rejected\n"; - exit 1; -} - -# check for password in mysql database -#if -my $dbh = DBI->connect("DBI:mysql:database=$dbname:host=$dbhost:port=$dbport",$dbuser,$dbpw,{PrintError=>0}); - -if (!$dbh) { - print STDERR "$logprefix: could not connect to database - Rejected\n"; - exit 1; -} - -my $dbq = $dbh->prepare("select username as username, password as password from users where username=?;"); -$dbq->bind_param(1, $user); -$dbq->execute; -my $row = $dbq->fetchrow_hashref(); - -if ($row->{username} eq "") { - print STDERR "$logprefix: could not find user $user - Rejected\n"; - exit 1; -} -if ($row->{password} eq "") { - print STDERR "$logprefix: empty password for user $user - Rejected\n"; - exit 1; -} - -if ($row->{password} eq crypt($pass,substr($row->{password},0,2))) { - print STDERR "$logprefix: password for user $user matches - Accepted\n"; - exit 0; -} else { - print STDERR "$logprefix: password for user $user does not match - Rejected\n"; - exit 1; -} - -$dbq->finish; -$dbh->disconnect; diff -Nru libapache2-mod-authnz-external-3.2.4/pwauth/README libapache2-mod-authnz-external-3.3.1/pwauth/README --- libapache2-mod-authnz-external-3.2.4/pwauth/README 2009-05-21 02:24:25.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/pwauth/README 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -The "pwauth" external authenticator is not included in the mod_auth_external -distribution. It is now available as a separate package from -http://www.unixpapa.com/pwauth/. diff -Nru libapache2-mod-authnz-external-3.2.4/radius/README libapache2-mod-authnz-external-3.3.1/radius/README --- libapache2-mod-authnz-external-3.2.4/radius/README 2009-05-21 02:24:25.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/radius/README 1970-01-01 00:00:00.000000000 +0000 @@ -1,12 +0,0 @@ -Older versions of mod_auth_external included an example of a hard -coded internal authentication function which was designed for -authenticating from a Radius server. - -It is no longer included in the mod_auth_external distribution because -its license did not appear to be a full open source license. - -People interested in a radius authenticator, should probably look into -mod_auth_radius. - -For the time being, the old contents of this directory will be available -from http://unixpapa.com/software/mae_radius.tar.gz diff -Nru libapache2-mod-authnz-external-3.2.4/sybase/README libapache2-mod-authnz-external-3.3.1/sybase/README --- libapache2-mod-authnz-external-3.2.4/sybase/README 2009-05-21 02:24:24.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/sybase/README 1970-01-01 00:00:00.000000000 +0000 @@ -1,12 +0,0 @@ -This is a hardcoded internal authentication function for use with -mod_auth_external or mod_authnz_external. It supports authenticating -from a Sybase database using the DB lib interface. - -It assumes the existence of a table named "users" in your database, with -fields named "login" and "passwd" which are both adequately large varchar -types. Passwords are stored as plain text, which Jan Wolter considers a -grevious mistake. Better to encrypt them with something like crypt(3). - -Author: - -This code is not being maintained. diff -Nru libapache2-mod-authnz-external-3.2.4/sybase/mod_auth_external_sybase.c libapache2-mod-authnz-external-3.3.1/sybase/mod_auth_external_sybase.c --- libapache2-mod-authnz-external-3.2.4/sybase/mod_auth_external_sybase.c 2009-05-21 02:24:24.000000000 +0000 +++ libapache2-mod-authnz-external-3.3.1/sybase/mod_auth_external_sybase.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,197 +0,0 @@ -/* ==================================================================== - * Copyright (c) 1997 Societe Generale. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by Societe Generale" - * - * 4. The name "Societe Generale" must not be used to endorse or - * promote products derived from this software without prior written - * permission. - * - * 5. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by Societe Generale" - * - * THIS SOFTWARE IS PROVIDED BY SOCIETE GENERALE ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SOCIETE GENERALE - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE - * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, - * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - - -/* mod_auth_external_sybase.c 1.2 - apache authentication using - * mod_auth_external HARCODE extension. - * - * To edit this file, use 3-characters tabs. - * - * REVISIONS: - * 1.0: br, may 15 1997 - * 1.1: br, may 21 1997 - * added some log facilities, due to PASS variable problem... - * 1.2: br, june 5 1997 - * updated code to use mod_auth_external HARDCODE extension - * changed log usage - * - * TO DO: - * - check for sybase failures, and eventually try new connexions - * - add config file facility - * - permit multiple config files - * - */ - -#undef STATUS /* to permit correct apache compilation */ - -#include /* for those who like comments */ -#include -#include -#include -#include -#include -#include -#include -#include - -/* sybase constants: ugly, but they will *NEVER* change... - */ -#define DBUSER "cleopatra" /* user */ -#define DBPASS "noufnouf" /* passwd */ -#define DBNAME "ISIS" /* basename */ - -#define LOGFILE "/var/log/www/checkpass" /* to log USER/PASS info */ - -/* openbase() - open database... - * - * return value: - * NULL: cannot access database - * other: DBPROCESS id. - * - */ -DBPROCESS *openbase() -{ - LOGINREC *login = NULL; - - if (dbinit() == FAIL) /* get login */ - return NULL; - login = dblogin(); - - DBSETLUSER(login, DBUSER); /* set user & passwd database access */ - DBSETLPWD(login, DBPASS); - - return dbopen(login, DBNAME); /* open connexion */ -} - -/* sybasecheck(user, passwd, conf) - * char *passwd, *passwd, *conf; - * - */ -sybasecheck(user, pass, conf) - char *user, *pass, *conf; -{ - static DBPROCESS *dbproc = NULL; - char gotpass[256]; - int debug = 1; /* change this and recompile to have some - * debugging - */ - int status; - FILE *debugfile = NULL; - - if (debug) { /* open log file */ - debugfile = fopen(LOGFILE, "a+"); - } - if (debugfile) { - fprintf(debugfile, "sybasecheck: USER = <%s> ", - user? user: ""); - fprintf(debugfile, "PASS = <%s> ", pass? pass: ""); - } - - if (user && pass) { /* got something? */ - if (!dbproc) { - dbproc = openbase(); /* open database */ - if (debugfile) { - fprintf(debugfile, " [%d]: opened base [%#x] ", - (int) getpid(), dbproc); - } - } - else { - if (debugfile) { - fprintf(debugfile, " [%d]: base [%#x] ", - (int) getpid(), dbproc); - } - } - - if (dbproc) { - /* we generate sql request. It looks like: - * select passwd from users where login=$USER - */ - dbfcmd(dbproc, "select passwd from users where login = \"%s\"", user); - - if (dbsqlexec(dbproc) == SUCCEED) { - - if (dbresults(dbproc) == SUCCEED) { - - /* we bind the results to gotpasss string & check if we - * got something... - */ - if ((dbbind(dbproc, 1, NTBSTRINGBIND, - sizeof(gotpass), gotpass) == SUCCEED) && - ((status = dbnextrow(dbproc)) != FAIL) && - (status != NO_MORE_ROWS)) { - - if (debugfile) { - fprintf(debugfile, "GOTPASS = <%s>\n", - gotpass? gotpass: ""); - fclose(debugfile); - } - - /* ok: compare result to PASS variable, and exit - */ - return(strcmp(gotpass, pass)? 1: 0); - } - - /* all rest are sybase errors... - */ - else - if (debugfile) - fprintf(debugfile, "error accessing database.\n"); - } - else - if (debugfile) - fprintf(debugfile, "error dbresults.\n"); - } - else { - if (debugfile) - fprintf(debugfile, "error in dbsqlexec.\n"); - } - } - else - if (debugfile) - fprintf(debugfile, "error in dbopen.\n"); - } - if (debugfile) - fclose(debugfile); - - return (1); - -} -