File: README

package info (click to toggle)
libapache2-mod-intercept-form-submit 1.1.0-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid, stretch
  • size: 128 kB
  • ctags: 41
  • sloc: ansic: 451; makefile: 25
file content (174 lines) | stat: -rw-r--r-- 5,834 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174

Apache module mod_intercept_form_submit
=======================================

Apache module to intercept submission of application login forms. It
retrieves the login and password information from the POST HTTP
request, runs PAM authentication with those credentials, and sets the
REMOTE_USER environment variable if the authentication passes. The
internal r->user field is also set so other modules can use it (even
if the module is invoked very late in the request processing).

If the REMOTE_USER is already set (presumably by some previous module),
no authentication takes place.

If the PAM authentication fails, environment variable
EXTERNAL_AUTH_ERROR is set to the string describing the error.

The assumption is that the application will be amended to trust the
REMOTE_USER value if it is set and skip its own login/password
validation (see the docs/ directory for outline of the interaction).

Module configuration
--------------------

Module mod_authnz_pam needs to be installed and loaded with

    LoadModule authnz_pam_module modules/mod_authnz_pam.so

because mod_intercept_form_submit uses it to do the actual PAM operations.

The mod_intercept_form_submit module needs to be configured for Location
that the application uses to process the login form POST requests. The
configuration has to specify three values:

    InterceptFormPAMService name_of_the_PAM_service

      The PAM service to authenticate against.

    InterceptFormLogin the_login_field_name

      Name of the login field in the login form, and thus the login
      parameter in the POST request.

    InterceptFormPassword the_password_field_name

      Name of the password field in the login form, and thus the
      password parameter in the POST request.

All three parameters above need to be specified or the interception
will not be enabled.

Optional parameters:

    InterceptFormLoginSkip one_login [or_more_logins]

      List of logins to ignore (never attempt to authenticate).

      By default authentication will be attempted for all logins.

    InterceptFormClearRemoteUserForSkipped on|off

      When set to on and authentication is skipped for users
      listed with InterceptFormLoginSkip, clears r->user and
      REMOTE_USER.

      Default is off.

    InterceptFormPasswordRedact on|off

      When set to on and authentication is attempted (no matter
      if it passes or fails), the value of the password will
      be modified in the POST data to string [REDACTED].

      Default is off.

    InterceptFormLoginRealms REALM1 [other REALM2]

      List of realm/domain names to append to the login and try
      in cycle when the login does not contain the '@' sign. This
      can be used for force particular realms without users being
      forced to enter them. Empty string can be used in the list
      to explicitly try authentication without any realm.

      This can be used with mod_auth_kerb's (default)
      KrbMethodK5Passwd Off to present login names including realms
      to web applications.

      By default, no modifications to login happens.

    InterceptGETOnSuccess on|off

      When the authentication using the POST data passes, the
      method of the request is internally changed to GET. This
      stops applications and frameworks that insist on running
      their own authentication on POST irrespective of REMOTE_USER
      value to think that they process GET.

Example:

    LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
    LoadModule authnz_pam_module modules/mod_authnz_pam.so
    <Location /users/login>
      InterceptFormPAMService http_application_sss
      InterceptFormLogin login[login]
      InterceptFormPassword login[password]
      InterceptFormLoginSkip admin
      InterceptFormClearRemoteUserForSkipped on
      InterceptFormPasswordRedact on
      InterceptFormLoginRealms EXAMPLE.COM LAB.EXAMPLE.COM ''
      InterceptGETOnSuccess on
    </Location>

The PAM service needs to be configured. For the above shown
http_application_sss example, file /etc/pam.d/http_application_sss
could be created with content

    auth    required   pam_sss.so
    account required   pam_sss.so

to authenticate against sssd.

On SELinux enabled systems, boolean allow_httpd_mod_auth_pam needs to
be enabled:

    setsebool -P allow_httpd_mod_auth_pam 1

Building from sources
---------------------

When building from sources, command

    apxs -i -a -c mod_intercept_form_submit.c -Wall -pedantic

should build and install the module.

Dependency on mod_authnz_pam
----------------------------

Module mod_intercept_form_submit has soft (runtime) dependency on
function pam_authenticate_with_login_password with prototype

	authn_status pam_authenticate_with_login_password(
		request_rec * r, const char * pam_service,
		const char * login, const char * password,
		int steps
	);

This function is typically provided by module mod_authnz_pam, and is
called to achieve the actual authentication via the PAM stack. When
mod_authnz_pam is not loaded and thus this function not available,
error

	mod_intercept_form_submit: pam_authenticate_with_login_password
		not found; perhaps mod_authnz_pam is not loaded

is logged and authentication does not take place.

License
-------

Copyright 2013--2016 Jan Pazdziora

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.