LANGUAGES
External authenticators can be written in almost any language. The sample
- authenticators in the 'test' directory are in Perl. The 'pwauth'
+ authenticators in the 'test' directory are in Perl and PHP. The 'pwauth'
authenticator is in ANSI C. The example code fragments in this document
are in C.
rlim.rlim_cur = rlim.rlim_max = 0;
(void)setrlimit(RLIMIT_CORE, &rlim);
+ Actually, core dumps seem to be mostly a thing of the past. Most modern
+ Unixes don't seem to generate them.
+
It may not hurt to spend a little time looking at the features of the pwauth
authenticator, which is the most secure external authenticator that I have
written.
USER and PASS environment variables respectively.
Note that the environment method has fundamental security weaknesses,
- and should probably not be used. Use the pipe method instead.
+ and should probably not be used unless you have cause to believe it is
+ safe on your system. I wouldn't be surprised if it is marginally faster
+ than the pipe method. Most applications should use the pipe method instead.
A typical chunk of C code to authenticate with the environment method
might be like:
+v3.3.2 (Jan Wolter - NOT YET RELEASED)
+----------------------------------------------
+ * Added test/test.pipe.php, a PHP version of test/test.pipe contributed
+ by Claus Andersen.
+
v3.3.1 (Jan Wolter - Oct 12, 2011)
----------------------------------------------
* Deleted most of the sample authenticators from the distribution. They
These are dummy external authenticator programs used for testing
mod_auth_external or mod_authnz_external.
-They are all Perl scripts. Before using them, make sure that the
-#!/usr/bin/perl directives in the first lines give the correct pathname
-for the Perl interpretor on your system.
+They are mostly Perl scripts, and one PHP script. Before using them, make
+sure that the directives on the first lines of each file:
+ #!/usr/bin/perl
+ #!/usr/bin/php
+give the correct pathname for the Perl and/or PHP interpretors on your system.
The files are:
testgroup.pipe Dummy group check program using pipe method
testgroup.env Dummy group check program using environment method
+ test.pipe.php PHP version of test.pipe
+
The user authentication programs will accept a login if the user name
matches the password, and will reject all others.
(Obviously you wouldn't want to log plain-text passwords in a real
authentication program).
-Author & Maintainer: Jan Wolter http://www.unixpapa.com
+Author & Maintainer for Perl Versions: Jan Wolter http://www.unixpapa.com
+Author of PHP Version: Claus Andersen
--- /dev/null
+#!/usr/bin/php
+<?php
+
+// Test authenticator using pipe method. Logins will be accepted if the
+// login and the password are identical, and will be rejected otherwise.
+//
+// This authenticator does copious logging by writing all sorts of stuff to
+// STDERR. A production authenticator would not normally do this, and it
+// *especially* would not write the plain text password out to the log file.
+
+// Get the name of this program
+$prog = $argv[0];
+
+// Get the user name
+$user = trim(fgets(STDIN));
+
+// Get the password
+$pass = trim(fgets(STDIN));
+
+// Print them to the error_log file
+fwrite(STDERR, $prog . ": user='" . $user . "' pass='" . $pass . "'\n");
+
+foreach ($_ENV as $k => $v)
+{
+ fwrite(STDERR, $prog . ': ' . $k . '=' . $v . "\n");
+}
+
+// Accept the login if the user name matchs the password
+if ($user == $pass)
+{
+ fwrite(STDERR, $prog . ": login matches password - Accepted\n");
+ exit(0);
+}
+else
+{
+ fwrite(STDERR, $prog . ": login doesn't match password - Rejected\n");
+ exit(1);
+}
+
+?>