httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Neulinger <>
Subject Re: could someone update the mod_auth_external.c with the new one
Date Sun, 04 Aug 1996 22:11:47 GMT
At 1:54 PM -0700 8/4/96, dave madden wrote:
> =>From: Nathan Neulinger <>
> =>...
> =>On a side note, I would like to be able to pipe the authentication data
> =>into the external routine, but I don't see any clean way to do that in the
> =>code. The reason is, uising environment variables works great for some
> =>architectures, but is as insecure as using the command line for others
> =>(i.e. sys v based where you can list environment in ps command.)
> =>
> =>Would it be better to use a pipe or to write the authentication data out to
> =>a temporary file, and pass the temporary file on the command line, then
> =>remove the file when done? This actually might work better on all
> =>architectures, but it means more i/o.
>Why is the authentication data sensitive?  Certainly, the password or
>whatever you use to authenticate should be protected, but all an
>external program needs to know is whom the auth module believes the
>user to be.  (In case it's not clear, I'm saying "pass the user
>identification, but not the password, in the environment.")
>Using a pipe, or writing the auth data to a file that the external
>program must somehow read, introduces unnecessary complexity.

The external auth module is for passing the authentication data (userid and
given password) to an external (not in the server) routine to perform the
verification. I have to do this because the AFS libraries that I use for
authentication will not link properly with ApacheSSL due to the
encryption/des routine names. It's also a lot more convenient in some cases
to just pass the data to an external routine to do the verification.

Basically, it's just like the dbm/db/etc. authorization modules, except
instead of talking to a database, or looking up in a datafile, it talks to
an external routine. Actually, any number of external routines, which makes
it particularly valuable, since you can add additional authenticators
without having to recompile the server. The user using the authentication
simply puts "AuthExternal <keyword>"  and/or "GroupExternal <keyword>" in
their htaccess file or server config to pick which external authenticator
to use.

On HP-UX, for example, I can safely pass the userid and password in the
environment, cause there is no way to view it. But on SysV based machines
this is not true.

Hope this clears this up... :)

-- Nathan

Nathan Neulinger                  Univ. of Missouri - Rolla
EMail:                  Computing Services
WWW:      SysAdmin:

View raw message