{"id":22270264,"url":"https://github.com/kitech/mod_authnz_external","last_synced_at":"2025-06-25T08:04:25.584Z","repository":{"id":14411549,"uuid":"17122387","full_name":"kitech/mod_authnz_external","owner":"kitech","description":"Authentication via ACM class LDAP","archived":false,"fork":false,"pushed_at":"2014-02-24T02:21:59.000Z","size":171,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-25T15:51:20.060Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"http://ubuntuforums.org/showthread.php?t=1112664","language":"C","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kitech.png","metadata":{"files":{"readme":"README","changelog":"CHANGES","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-02-24T02:01:03.000Z","updated_at":"2020-06-28T19:23:59.000Z","dependencies_parsed_at":"2022-09-21T23:22:16.795Z","dependency_job_id":null,"html_url":"https://github.com/kitech/mod_authnz_external","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/kitech/mod_authnz_external","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kitech%2Fmod_authnz_external","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kitech%2Fmod_authnz_external/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kitech%2Fmod_authnz_external/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kitech%2Fmod_authnz_external/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kitech","download_url":"https://codeload.github.com/kitech/mod_authnz_external/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kitech%2Fmod_authnz_external/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261832617,"owners_count":23216494,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-03T12:07:52.459Z","updated_at":"2025-06-25T08:04:25.562Z","avatar_url":"https://github.com/kitech.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"                   Mod_Authnz_External version 3.3.x\n\n     Original Coder: Nathan Neulinger \u003cnneul@umr.edu\u003e\nPrevious Maintainer: Tyler Allison    \u003callison@nas.nasa.gov\u003e\n Current Maintainer: Jan Wolter       http://www.unixpapa.com\n    Apache 2.0 Port: Dave Woolaway    \u003cdave@watersheep.org\u003e\n    \t\t     Sven Koch        \u003chaegar@sdinet.de\u003e\n    Apache 2.2 Port: Jan Wolter       http://www.unixpapa.com\n\nCaution:\n--------\n\nMod_Auth_External can be used to quickly construct secure, reliable\nauthentication systems.  It can also be mis-used to quickly open gaping\nholes in your security.  Read the documentation, and use with extreme\ncaution.\n\nVersions:\n---------\n\nMod_authnz_external version 3.3.x is designed for use with Apache version\n2.4.x.  It will not work with Apache 2.2 or 2.0.  For older versions of\nApache you will need older branches of mod_authnz_external:\n\n     Apache 1.3   mod_auth_external-2.1.x\n     Apache 2.0   mod_auth_external-2.2.x\n     Apache 2.2   mod_authnz_external-3.1.x or mod_authnz_external-3.2.x\n     Apache 2.4   mod_authnz_external-3.3.x\n\nThis module was developed from \"mod_auth_external\".  It has been restructured\nto fit into the authn/authz structure introduce in Apache 2.1.  It can be used\nin any application where mod_auth_external was previously used.  No changes\nwill be needed to the external authentication programs, but the exact Apache\nconfiguration commands needed will be different.  It is possible to use the\nold \"mod_auth_external-2.2\" with Apache-2.2, but mod_authnz_external is\npreferable.  If you are upgrading from \"mod_auth_external\" to\n\"mod_authnz_external\" then read the file \"UPGRADE\" for advice.\n\nIntroduction:\n-------------\n\nMod_Authnz_External is an Apache module used for authentication.  The Apache\nHTTP Daemon can be configured to require users to supply logins and passwords\nbefore accessing pages in some directories.  Authentication is the process\nof checking if the password given is correct for a user.  Apache has\nstandard modules for authenticating out of several different kinds of\ndatabases.  Mod_Authnz_External is a flexible tool for creating authentication\nsystems based on other databases.\n\nMod_Authnz_External can be used in either of two somewhat divergent ways:\n\n External Authentication:\n\n    When a user supplies a login and password, mod_authnz_external runs a\n    program you write, passing it the login and password.  Your program\n    does whatever checking and logging it needs to, and then returns a\n    Accept/Reject flag to Apache.\n\n    This is slower than doing the authentication internally because it\n    has the overhead of launching an external program for each authentication.\n    However, there are at least two situations where it is very useful:\n\n      - Rapid prototyping.  The external authentication program can be\n        a shell script or perl program.  It can be written without knowing\n        much about building Apache modules.  Bugs in it will not endanger\n        the overall integrity of the Apache server.  Later, as performance\n\tbecomes more of an issue, you can write a custom Apache module to\n\tdo the job more efficiently (perhaps using the HARDCODE option below).\n\n      - Access restrictions.  There are situations where you do not want to\n        make your user database readable to the user-id that Apache runs\n        under.  In these cases the external authentication program can be\n        an suid program that has access to databases Apache cannot access.\n        For example, if you want to authentication out of a Unix shadow\n        password database, and you aren't foolish enough to run Apache\n        as root, a carefully written suid-root external authentication\n        program can do the job for you.\n\n    Pwauth, an external authentication program for securely authenticating\n    out of a Unix shadow password database available from\n    http://www.unixpapa.com/pwauth/ .\n\n Hardcoded Authentication:\n\n    Some hooks have been inserted into mod_authnz_external to make it easy\n    to replace the call to the external authentication program with a\n    call to a hardcoded internal authentication routine that you write.\n\n    This is sort of a half-way measure to just writing your own Apache\n    module from scratch, allowing you to use some of the logic from\n    mod_authnz_external.\n\n    Example functions for authenticating out of a RADIUS server or Sybase\n    database are included in this distribution.\n\nCompatibility:\n--------------\n\nThe current version of mod_authnz_external is designed for use with Apache 2.2.\nIt will not work with older versions of Apache.\n\nMod_authnz_external has been tested on a wide variety of Unix platforms.  In\ntheory versions after 3.2.0 should work on any non-Unix platforms supported\nby Apache, but it has been tested only under Unix.\n\nMod_authnz_external is also compatible with authenticators using the\ncheckpassword interface.  See http://cr.yp.to/checkpwd.html for more\ninformation.\n\nAuthn / Authz\n-------------\n\nUsers of mod_authnz_external may find it helpful understand a bit more of\nit's internal structure.  It is actually best thought of as two functionally\nseparate modules, mod_authn_external and mod_authz_external, which have\ncombined into a single module simply because they share a lot of code.\nIn any particular application, you may only be using one of these two\nmodules, or you may be using both.\n\nThe mod_authn_external part is an authentication provider for the\nmod_auth_basic module.  Mod_auth_basic handles all the negotiations with\nthe browser, while all mod_authn_external does is check if a password\nsubmitted by the user is correct (which it does by running an external\nprogram to perform the check).\n\nThe mod_authz_external part does access control.  It has no relation\nto mod_auth_basic.  It comes into play after authentication is complete,\nwhen a \"Require group\" or \"Require file-group\" directive is given.  It\nchecks if the authenticated user is in the list of required groups (which\nit does by running an external program to perform the check).\n\nDigest Authentication\n---------------------\n\nThe new authentication structure introduced in Apache 2.1 makes it much\neasier for modules like this one to support digest authentication as an\nalternative to basic authentication.  Mod_Authnz_External, however, does\nnot yet support digest authentication.\n\nI hope to support this in the future, but it really isn't a very attractive\nalternative and I don't expect many people will want to use it.  It will\nnot be possible to use the same external authentication programs that are\nused for basic authentication - they would have to be rewritten.  It will\nonly work if the database being accessed by the external program either has\npasswords in plaintext, or has them encrypted in a very specific way.  This\nmeans it could not be used for unix password database authentication or with\nmost other password databases not specifically designed for this application.\nAnd password databases specifically designed for this application might as\nwell be designed in a format where they could be accessed by mod_authn_file\nor mod_authn_dbm.\n\nSecurity Considerations:\n------------------------\n\nBy default, mod_authnz_external passes the user's login and password to the\nexternal authentication program by sending them through a pipe.  This is\nvery secure.\n\nIn older versions of mod_auth_external, the login and password were by\ndefault passed in environment variables called USER and PASS.  This is\nstill an option, but we do NOT recommend using option.\n\nOn some versions of Unix (including SunOS and IRIX) any user logged onto\nthe server can see these values by doing a \"ps -e\" command.  This would\nobviously be a problem if there are ever untrusted users on your server.\nOther versions of Unix (including Linux) restrict \"ps -e\" so you can only\nsee your own processes, but this may still be a problem if untrusted people\ncan put CGI programs on your server, since those may run as the same user\nas your authentication program does.  Some versions of Unix don't seem to\nhave a \"ps -e\" command at all, but even then it is best to be careful. \nAlthough the default \"ps\" command on Solaris won't display environment\nvariables, the backwards compatible \"/usr/ucb/ps\" command does.  Are you\nsure there isn't and won't be an old-style ps command installed on your\nsystem? \n\nUse of this module requires development of an external authentication program\nor a hardcoded internal function.  These are typically very simple programs,\nbut there are more ways to screw up your security by doing them badly than\nwe could possibly list.  See the file AUTHENTICATORS for more information\non implementing authenticators.\n\nExample Authentication Routines in this Distribution:\n-----------------------------------------------------\n\n test/\n    Several small dummy external authentication programs written in Perl\n    (there is also a PHP version of one of them). These are meant only for\n    testing of mod_authnz_external.  They accept any user whose password\n    and login name are identical.  They write lots of debugging info to\n    the error_log file.\n\n    Author and Maintainer:  Jan Wolter http://unixpapa.com/\n    Author of PHP Version:  Claus Andersen\n\nExample Authentication Routines Formerly Included in this Distribution:\n-----------------------------------------------------------------------\nIn the interest of cleaning up the distribution, several other examples\nthat were formerly distributed with this module are now only available\nseparately.\n\n pwauth\n    A C program for authenticating out of unix shadow password files or\n    PAM.\n\n    Author and Maintainer:  Jan Wolter http://unixpapa.com/\n    Available from: http://code.google.com/p/pwauth/\n\n MYSQL-auth\n    A Perl program for authenticating out of a MySQL database.  This is\n    written in Perl using the DBI interface, so it could be trivially adapted\n    to work with any other SQL database server that has a DBI interface\n    (that is to say all of them).\n\n    Author and Maintainer:  Anders Nordby \u003canders@fix.no\u003e\n    Available From: http://anders.fix.no/software/#unix\n\n sybase-internal-auth\n    An example of a hardcoded internal authentication function for use with\n    mod_auth_external or mod_authnz_external. It's designed for doing\n    authentication out of a sybase database, which these days would be better\n    done using mod_authn_dbd.\n\n    Author: \u003cbr@ota.fr.socgen.com\u003e\n    Available From: http://code.google.com/p/mod-auth-external/downloads\n\n mae-radius\n    Another example or a hardcoded internal authentication function.\n    This does radius authentication. It may not be fully open source.\n\n    Available From: http://unixpapa.com/software/mae_radius.tar.gz\n\nCheckpassword Authenticators\n----------------------------\n\nThere are various \"checkpassword\" compatible authenticators available on the\nnet which can be used with mod_authnz_external.  These authenticators are most\ncommonly used with qmail pop servers but it is sometimes useful to be able\nto use the same authentication system for some web pages.  I've listed some\nof the ones that look useful for mod_authnz_external, but I've tested only\n'checkpassword'.\n\n   checkpassword\n\thttp://cr.yp.to/checkpwd.html\n\tDan J. Bernstein \u003cdjb@cr.yp.to\u003e\n\n\tAuthentication from a Unix shadow password file, similar to the\n\tthe pwauth program.\n\n   radcheckpassword\n\thttp://www.tic.ch/e-image/andrew/software/radcheckpassword/\n\tAndrew Richards \u003candrew@tic.ch\u003e\n\n\tRadius authentication.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkitech%2Fmod_authnz_external","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkitech%2Fmod_authnz_external","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkitech%2Fmod_authnz_external/lists"}