mod_auth_gssapi icon indicating copy to clipboard operation
mod_auth_gssapi copied to clipboard
verified publisher icon gssapi

Login form and OTP integration

Open shaohme opened this issue 9 years ago • 8 comments

Just a suggestion; Would it be overkill to integrate a login form instead of just basic auth fallback, and support OTP from MIT KRB5 in same auth form?

shaohme avatar Sep 01 '16 17:09 shaohme

Not overkill but there are other modules that can do that and circle back to mod_auth_gssapi. This is some work we have done in the freipa project to transition from x509 auth to have a krb ticket: http://www.freeipa.org/page/V4/External_Authentication I would probably use a similar approach rather than trying to bake in a form login method, espceially because the main mantra of mod_auth_gssapi is that it uses exclusively gssapi and never krb5 directly.

simo5 avatar Sep 01 '16 20:09 simo5

I'm not sure how the circle back would work. For instance, MAG doesn't seem to register as a authnz provider for use in mod_auth_form...

shaohme avatar Sep 03 '16 19:09 shaohme

@adelton can you comment on the above idea ?

simo5 avatar Sep 06 '16 14:09 simo5

@shaohme, could you provide some mod_auth_form configuration that you envision to be used with the OTP setup?

adelton avatar Sep 06 '16 14:09 adelton

@adelton The current mod_auth_form code doesn't seem to be able to handle it.

I was thinking about modifying or forking the code to be able to take httpd_username, httpd_password, and https_otp optional, or maybe N times httpd_ variables. These variables gets passed along to modules who needs them.

Either these variables needs to be presented all on one HTML form, or username + password on one HTML page, and OTP input on another page. This because MIT-KRB5 first need a FAST established, then asks for principal, then the OTP challenge. Below is a very early draft of apache config:

<Location /auth>
    AuthType form
    AuthFormProvider gssapi
    AuthFormRoundsUrl http://host/auth
    AuthFormRounds 0:httpd_username,httpd_password,1:httpd_otp,2:httpd_foo,httpd_bar
</Location>

mod_auth_form keeps a state of where the client are in the auth process locally (by cookie's perhaps?), and redirects the user to the next url, perhaps with query (/auth?stage=[0,1,2,3....]), on which she submits the next load of values, until the process is done.

shaohme avatar Sep 06 '16 16:09 shaohme

I think it would be nice if we expose our basic-auth API as an authentication provider by implementing a check_password() function and registering it via ap_register_auth_provider(AUTHN_PROVIDER_GROUP).

This will allow it to be use as a parameter to AuthFormProvider and also allow it to be stacked along with other basic authentication providers in AuthBasicProvider directive (and perhaps other advantages such as alternative caching via mod_authn_socache).

As regarding additional OTP, I think it could be provided via other config / module directly.

iboukris avatar Sep 06 '16 23:09 iboukris

In general, mod_intercept_form_submit (via mod_authnz_pam), with fallback to mod_auth_gssapi, would likely provide reasonable solution.

adelton avatar Jul 18 '17 07:07 adelton

PR #151 seem to implement what @frenche suggested, it needs some polishing but should give at least basic auth.

simo5 avatar Oct 03 '17 18:10 simo5