v3.3.1 (Jan Wolter - )
----------------------------------------------
+ * Deleted most of the sample authenticators from the distribution. They
+ are mostly old and crufty or available elsewhere. No need to clutter
+ the main distribution with them.
* Added code to support caching authentications with mod_authn_socache.
This is enabled by the "AuthExternalProvideCache On" directive.
we could possibly list. See the file AUTHENTICATORS for more information
on implementing authenticators.
-Example External Authentication Routines in this Distribution:
---------------------------------------------------------------
+Example Authentication Routines in this Distribution:
+-----------------------------------------------------
test/
Several small dummy external authentication programs written in Perl.
any user whose password and login name are identical. They write
lots of debugging info to the error_log file.
- Author and Maintainer: Jan Wolter <janc@cyberspace.org>
+ Author and Maintainer: Jan Wolter http://unixpapa.com/
- mysql/
+Example Authentication Routines Formerly Included in this Distribution:
+-----------------------------------------------------------------------
+In the interest of cleaning up the distribution, several other examples
+that were formerly distributed with this module are now only available
+separately.
+
+ pwauth
+ A C program for authenticating out of unix shadow password files or
+ PAM.
+
+ Author and Maintainer: Jan Wolter http://unixpapa.com/
+ Available from: http://code.google.com/p/pwauth/
+
+ MYSQL-auth
A Perl program for authenticating out of a MySQL database. This is
written in Perl using the DBI interface, so it could be trivially adapted
to work with any other SQL database server that has a DBI interface
(that is to say all of them).
Author and Maintainer: Anders Nordby <anders@fix.no>
- http://anders.fix.no/software/#unix
-
-The "pwauth" authenticator for unix shadow password files or PAM which
-was previously included in this distribution is now in a separate package,
-available from http://www.unixpapa.com/pwauth/.
-
-Example Hardcoded Internal Authentication Routines in this Distribution:
-------------------------------------------------------------------------
+ Available From: http://anders.fix.no/software/#unix
- sybase/
- A function that queries a sybase database and compares the passwords
- for said user.
+ sybase-internal-auth
+ An example of a hardcoded internal authentication function for use with
+ mod_auth_external or mod_authnz_external. It's designed for doing
+ authentication out of a sybase database, which these days would be better
+ done using mod_authn_dbd.
- Author: <br@ota.fr.socgen.com>
- Unmaintained.
+ Author: <br@ota.fr.socgen.com>
+ Available From: http://code.google.com/p/mod-auth-external/downloads
-The radius client previously distributed with mod_auth_external has been
-removed from the distribution because of possible license problems. Get it
-from http://unixpapa.com/software/mae_radius.tar.gz if you want it, but
-mod_auth_radius is a better choice.
+ mae-radius
+ Another example or a hardcoded internal authentication function.
+ This does radius authentication. It may not be fully open source.
-If you have programs or functions you have coded and would like to add them
-to the examples collection on the next release please email them to
-jan@unixpapa.com and include a short description.
+ Available From: http://unixpapa.com/software/mae_radius.tar.gz
Checkpassword Authenticators
----------------------------
+++ /dev/null
-The MySQL auth program is by Anders Nordby <anders@fix.no> who maintains it
-at http://anders.fix.no/software/#unix
-
-See the header of the auth-mysql.pl file for the author's notes.
-
-This require the Perl DBI/DBD libraries for mysql:
- http://cpan.valueclick.com/modules/by-category/07_Database_Interfaces/DBI/
- http://cpan.valueclick.com/modules/by-category/07_Database_Interfaces/DBD/
-
-Configuration is mostly by editing the definitions at the front of the
-mysql-auth.pl.
-
-In the likely event that your SQL tables have different field names, you'll
-also have to edit the SQL query in the call to $dbh->prepare().
-
-If you want to use a database server other than MySQL, you'll need the DBD
-library for that database and you'll need to change the DBI->connect() call.
+++ /dev/null
-#!/usr/bin/perl -Tw
-# MySQL-auth version 1.0
-# Anders Nordby <anders@fix.no>, 2002-01-20
-# This script is usable for authenticating users against a MySQL database with
-# the Apache module mod_auth_external or mod_authnz_external. See
-# http://unixpapa.com/mod_auth_external/ for mod_auth_external.
-#
-# Updates to this script will be made available on:
-# http://anders.fix.no/software/#unix
-
-my $dbhost="localhost";
-my $dbuser="validator";
-my $dbpw="whatagoodpassword";
-my $dbname="funkydb";
-my $dbport="3306";
-my $mychars="01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_,.";
-
-# Below this, only the SQL query should be interesting to modify for users.
-
-use DBI;
-
-sub validchars
-{
- # 0: string 1: valid characters
- my $streng = $_[0];
-
- my $ok = 1;
- my $i = 0;
- while ($ok && $i < length($_[0])) {
- if (index($_[1], substr($_[0],$i,1)) == -1) {
- $ok = 0;
- }
- $i++;
- }
- return($ok);
-}
-
-# Get the name of this program
-$prog= join ' ',$0,@ARGV;
-$logprefix='[' . scalar localtime . '] ' . $prog;
-
-# Get the user name
-$user= <STDIN>;
-chomp $user;
-
-# Get the password name
-$pass= <STDIN>;
-chomp $pass;
-
-# check for valid characters
-if (!validchars($user, $mychars) || !validchars($pass, $mychars)) {
- print STDERR "$logprefix: invalid characters used in login/password - Rejected\n";
- exit 1;
-}
-
-# check for password in mysql database
-#if
-my $dbh = DBI->connect("DBI:mysql:database=$dbname:host=$dbhost:port=$dbport",$dbuser,$dbpw,{PrintError=>0});
-
-if (!$dbh) {
- print STDERR "$logprefix: could not connect to database - Rejected\n";
- exit 1;
-}
-
-my $dbq = $dbh->prepare("select username as username, password as password from users where username=?;");
-$dbq->bind_param(1, $user);
-$dbq->execute;
-
-my $row = $dbq->fetchrow_hashref();
-
-if ($row->{username} eq "") {
- print STDERR "$logprefix: could not find user $user - Rejected\n";
- exit 1;
-}
-if ($row->{password} eq "") {
- print STDERR "$logprefix: empty password for user $user - Rejected\n";
- exit 1;
-}
-
-if ($row->{password} eq crypt($pass,substr($row->{password},0,2))) {
- print STDERR "$logprefix: password for user $user matches - Accepted\n";
- exit 0;
-} else {
- print STDERR "$logprefix: password for user $user does not match - Rejected\n";
- exit 1;
-}
-
-$dbq->finish;
-$dbh->disconnect;
+++ /dev/null
-Older versions of mod_auth_external included an example of a hard
-coded internal authentication function which was designed for
-authenticating from a Radius server.
-
-It is no longer included in the mod_auth_external distribution because
-its license did not appear to be a full open source license.
-
-People interested in a radius authenticator, should probably look into
-mod_auth_radius.
-
-For the time being, the old contents of this directory will be available
-from http://unixpapa.com/software/mae_radius.tar.gz
+++ /dev/null
-This is a hardcoded internal authentication function for use with
-mod_auth_external or mod_authnz_external. It supports authenticating
-from a Sybase database using the DB lib interface.
-
-It assumes the existence of a table named "users" in your database, with
-fields named "login" and "passwd" which are both adequately large varchar
-types. Passwords are stored as plain text, which Jan Wolter considers a
-grevious mistake. Better to encrypt them with something like crypt(3).
-
-Author: <br@ota.fr.socgen.com>
-
-This code is not being maintained.
+++ /dev/null
-/* ====================================================================
- * Copyright (c) 1997 Societe Generale. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by Societe Generale"
- *
- * 4. The name "Societe Generale" must not be used to endorse or
- * promote products derived from this software without prior written
- * permission.
- *
- * 5. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by Societe Generale"
- *
- * THIS SOFTWARE IS PROVIDED BY SOCIETE GENERALE ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SOCIETE GENERALE
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
- * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
- * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-
-/* mod_auth_external_sybase.c 1.2 - apache authentication using
- * mod_auth_external HARCODE extension.
- *
- * To edit this file, use 3-characters tabs.
- *
- * REVISIONS:
- * 1.0: br, may 15 1997
- * 1.1: br, may 21 1997
- * added some log facilities, due to PASS variable problem...
- * 1.2: br, june 5 1997
- * updated code to use mod_auth_external HARDCODE extension
- * changed log usage
- *
- * TO DO:
- * - check for sybase failures, and eventually try new connexions
- * - add config file facility
- * - permit multiple config files
- *
- */
-
-#undef STATUS /* to permit correct apache compilation */
-
-#include <stdio.h> /* for those who like comments */
-#include <string.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sybfront.h>
-#include <sybdb.h>
-#include <syberror.h>
-
-/* sybase constants: ugly, but they will *NEVER* change...
- */
-#define DBUSER "cleopatra" /* user */
-#define DBPASS "noufnouf" /* passwd */
-#define DBNAME "ISIS" /* basename */
-
-#define LOGFILE "/var/log/www/checkpass" /* to log USER/PASS info */
-
-/* openbase() - open database...
- *
- * return value:
- * NULL: cannot access database
- * other: DBPROCESS id.
- *
- */
-DBPROCESS *openbase()
-{
- LOGINREC *login = NULL;
-
- if (dbinit() == FAIL) /* get login */
- return NULL;
- login = dblogin();
-
- DBSETLUSER(login, DBUSER); /* set user & passwd database access */
- DBSETLPWD(login, DBPASS);
-
- return dbopen(login, DBNAME); /* open connexion */
-}
-
-/* sybasecheck(user, passwd, conf)
- * char *passwd, *passwd, *conf;
- *
- */
-sybasecheck(user, pass, conf)
- char *user, *pass, *conf;
-{
- static DBPROCESS *dbproc = NULL;
- char gotpass[256];
- int debug = 1; /* change this and recompile to have some
- * debugging
- */
- int status;
- FILE *debugfile = NULL;
-
- if (debug) { /* open log file */
- debugfile = fopen(LOGFILE, "a+");
- }
- if (debugfile) {
- fprintf(debugfile, "sybasecheck: USER = <%s> ",
- user? user: "<NULL>");
- fprintf(debugfile, "PASS = <%s> ", pass? pass: "<NULL>");
- }
-
- if (user && pass) { /* got something? */
- if (!dbproc) {
- dbproc = openbase(); /* open database */
- if (debugfile) {
- fprintf(debugfile, " [%d]: opened base [%#x] ",
- (int) getpid(), dbproc);
- }
- }
- else {
- if (debugfile) {
- fprintf(debugfile, " [%d]: base [%#x] ",
- (int) getpid(), dbproc);
- }
- }
-
- if (dbproc) {
- /* we generate sql request. It looks like:
- * select passwd from users where login=$USER
- */
- dbfcmd(dbproc, "select passwd from users where login = \"%s\"", user);
-
- if (dbsqlexec(dbproc) == SUCCEED) {
-
- if (dbresults(dbproc) == SUCCEED) {
-
- /* we bind the results to gotpasss string & check if we
- * got something...
- */
- if ((dbbind(dbproc, 1, NTBSTRINGBIND,
- sizeof(gotpass), gotpass) == SUCCEED) &&
- ((status = dbnextrow(dbproc)) != FAIL) &&
- (status != NO_MORE_ROWS)) {
-
- if (debugfile) {
- fprintf(debugfile, "GOTPASS = <%s>\n",
- gotpass? gotpass: "<NULL>");
- fclose(debugfile);
- }
-
- /* ok: compare result to PASS variable, and exit
- */
- return(strcmp(gotpass, pass)? 1: 0);
- }
-
- /* all rest are sybase errors...
- */
- else
- if (debugfile)
- fprintf(debugfile, "error accessing database.\n");
- }
- else
- if (debugfile)
- fprintf(debugfile, "error dbresults.\n");
- }
- else {
- if (debugfile)
- fprintf(debugfile, "error in dbsqlexec.\n");
- }
- }
- else
- if (debugfile)
- fprintf(debugfile, "error in dbopen.\n");
- }
- if (debugfile)
- fclose(debugfile);
-
- return (1);
-
-}
-