# $Id: README,v 1.5 2007/12/08 03:26:51 atobey Exp $
In order to install and use this package you will need Perl version
5.6 or better, mod_perl2, libapreq (Apache2::Request), Crypt::CBC,
Crypt::Blowfish and Authen::ACE.
Installation as usual:
perl Makefile.PL
make
make test
make install
There are three components to Apache::AuthenSecurID.
Apache::AuthenSecurID
Apache::AuthenSecurID::Auth
ace_initd
There are support files for Redhat-based systems in the redhat directory.
NAME
Apache2::AuthenSecurID - Authentication via a SecurID server
SYNOPSIS
# Configuration in httpd.conf or access.conf
PerlModule Apache2::AuthenSecurID
<Location /secure/directory> AuthName SecurID AuthType Basic
PerlAuthenHandler Apache2::AuthenSecurID
PerlSetVar AuthCryptKey Encryption_Key
PerlSetVar AuthCookie Name_of_Authentication_Cookie
PerlSetVar AuthUserCookie Name_of_Username_Authentication_Cookie
PerlSetVar AuthCookiePath /path/of/authentication/cookie
PerlSetVar AuthCookieTimeOut 30
PerlSetVar Auth_Handler /path/of/authentication/handler
require valid-user
</Location>
DESCRIPTION
This module allows authentication against a SecurID server. It detects
whether a user has a valid encrypted cookie containing their username
and last activity time stamp. If the cookie is valid the module will
change the activity timestamp to the present time, encrypt and send the
cookie. If the cookie is not valid the module will redirect to the
authentication handler to prompt for username and passcode.
LIST OF TOKENS
* AuthCryptKey
The Blowfish key used to encrypt and decrypt the authentication cookie.
It defaults to my secret if this variable is not set.
* AuthCookie
The name of the of cookie to be set for the authentication token. It
defaults to SecurID if this variable is not set.
* AuthUserCookie
The name of the of cookie that contains the value of the persons
username in plain text. This is checked against the contents of the
encrypted cookie to verify user. The cookie is set of other applications
can identify authorized users. It defaults to SecurID_User if this
variable is not set.
* AuthCookiePath
The path of the of cookie to be set for the authentication token. It
defaults to / if this variable is not set.
* AuthCookieTimeOut
The time in minute a cookie is valid for. It is not recommended to set
below 5. It defaults to 30 if this variable is not set.
* Auth_Handler
The path of authentication handler. This is the URL which request with
invalid cookie are redirected to. The handler will prompt for username
and passcode. It does the actual authentication and sets the initial
cookie. This mechanism is used instead of get_basic_auth_pw because
get_basic_auth_pw will do multiple authentication attempt on pages that
contain frames. The ACE server will deny simultaneous authentication
attempts since it considers this a type of attack. It defaults to
/ace_init if this variable is not set. Please see
Apache2::AuthenSecurID::Auth to properly configure this functionality.
CONFIGURATION
The module should be loaded upon startup of the Apache daemon. Add the
following line to your httpd.conf:
PerlModule Apache2::AuthenSecurID
PREREQUISITES
For AuthenSecurID you need to enable the appropriate call-back hook when
making mod_perl:
perl Makefile.PL PERL_AUTHEN=1
AuthenSecurID requires Crypt::Blowfish and Crypt::CBC.
SEE ALSO
Apache, mod_perl, Authen::ACE Apache2::AuthenSecurID::Auth
AUTHORS
* mod_perl by Doug MacEachern <dougm@osf.org>
* Authen::ACE by Dave Carrigan <Dave.Carrigan@iplenergy.com>
* Apache::AuthenSecurID by David Berk <dberk@lump.org>
* mod_perl2 port and other modifications by Al Tobey <tobert@gmail.com>
COPYRIGHT
The Apache2::AuthenSecurID module is free software; you can redistribute
it and/or modify it under the same terms as Perl itself.
NAME
Apache2::AuthenSecurID::Auth - Authentication handler for
Apache2::AuthenSecurID
SYNOPSIS
# Configuration in httpd.conf
<Location /path/of/authentication/handler> SetHandler perl-script
PerlHandler Apache2::AuthenSecurID::Auth
PerlSetVar AuthCryptKey Encryption_Key
PerlSetVar AuthCookie Name_of_Authentication_Cookie
PerlSetVar AuthUserCookie Name_of_Username_Authentication_Cookie
PerlSetVar AuthCookiePath /path/of/authentication/cookie
PerlSetVar AuthApacheCookie Apache_Cookie
PerlSetVar ace_initd_server name.of.ace.handler.server.com
PerlSetVar ace_initd_port 1969
</Location>
DESCRIPTION
This module allows authentication against a SecurID server. A request is
redirected to this handler if the authentication cookie does not exist
or is no longer valid. The handler will prompt for username and
passcode. It will then construct and encrypt a UDP packet and send it to
the Ace request daemon. This is necessary since libsdiclient.a needs to
persist for NEXT TOKEN MODE and SET PIN MODE. If the authentication is
valid an encrypted Authentication Cookie is set and the request is
redirected to the originating URI. If the user needs to enter NEXT TOKEN
or set their PIN they will be prompted to do so and if valid the request
is then redirected to the originating URI.
LIST OF TOKENS
* AuthCryptKey
The Blowfish key used to encrypt and decrypt the authentication cookie.
It defaults to my secret if this variable is not set.
* AuthCookie
The name of the of cookie to be set for the authentication token. It
defaults to SecurID if this variable is not set.
* AuthUserCookie
The name of the of cookie that contains the value of the persons
username in plain text. This is checked against the contents of the
encrypted cookie to verify user. The cookie is set of other applications
can identify authorized users. It defaults to SecurID_User if this
variable is not set.
* AuthCookiePath
The path of the of cookie to be set for the authentication token. It
defaults to / if this variable is not set.
* AuthApacheCookie
The name of the mod_usertrack cookie. The mod_usertrack module must be
compile and enabled in order to track user sessions. This is set by the
CookieName directive in httpd.conf. It defaults to Apache if this
variable is not set.
* ace_initd_server
The name of the server running the ACE request daemon. This daemon is
the actual process that communicates with the ACE Server. If the user is
in NEXT TOKEN MODE due to repeated failures or SET PIN MODE the
Authen::ACE object must persist beyond the initial request. A request
packet is constructed with a random number, type of transaction,
username, passcode and session identifier. The request packet is then
encrypted using Blowfish and sent to the ACE request daemon. The ACE
request daemon decrypts and parses the packet. The request if forwarded
to the ACE server and the response is sent back to the handler. The
random number originally sent is returned to prevent attacks. It
defaults to localhost if this variable is not set.
* ace_initd_port
The port the that the Ace request daemon listens on. It defaults to 1969
if this variable is not set.
CONFIGURATION
The module should be loaded upon startup of the Apache daemon. Add the
following line to your httpd.conf:
PerlModule Apache2::AuthenSecurID::Auth
PREREQUISITES
For AuthenSecurID::Auth you need to enable the appropriate call-back
hook when making mod_perl:
perl Makefile.PL PERL_AUTHEN=1
AuthenSecurID::Auth requires Crypt::Blowfish and Crypt::CBC.
For AuthenSecurID::Auth to properly track users mod_usertrack must be
compiled and enabled.
SEE ALSO
Apache, mod_perl, Authen::ACE Apache2::AuthenSecurID::Auth
AUTHORS
* mod_perl by Doug MacEachern <dougm@osf.org>
* Authen::ACE by Dave Carrigan <Dave.Carrigan@iplenergy.com>
* Apache::AuthenSecurID by David Berk <dberk@lump.org>
* Apache::AuthenSecurID::Auth by David Berk <dberk@lump.org>
* port to mod_perl2 and cleanups by Al Tobey <tobert@gmail.com>
COPYRIGHT
The Apache2::AuthenSecurID::Auth module is free software; you can
redistribute it and/or modify it under the same terms as Perl itself.
NAME
ace_initd - ACE Authentication daemon for Apache::AuthenSecurID::Auth
SYNOPSIS
nohup ./ace_initd --listen=127.0.0.1 --facility=local2 --secret=123456
--port=1969 --var_ace=/var/ace
DESCRIPTION
This daemon handles the ACE authentication requests for the
Apache::SecurID::Auth module. It is a single threaded, single fork
server that listens on a specified UDP port. Incoming requests are
decrypted and requests forwarded to the ACE server. If a specific
request is in either in NEXT TOKEN MODE or SET PIN MODE the Authen::ACE
object is not deleted. It is instead kept in memory to handle those
specific requests later.
LIST OF TOKENS
* --var_ace
Specifies the location of the sdconf.rec file. It defaults to
$ENV{VAR_ACE} if this variable is not set.
* --secret
The Blowfish key used to encrypt and decrypt the authentication cookie.
It defaults to my secret if this variable is not set.
* --port
The port the that the Ace request daemon listens on. It defaults to 1969
if this variable is not set.
* --facility
The syslog facility ace_initd logs to. It defaults to local2 if this
variable is not set.
* --daemon
Break off from the shell and become a daemon.
CONFIGURATION
Either run from the command line;
prompt$ nohup ./ace_initd &
or write the appropriate scripts in the /etc/rc directories.
PREREQUISITES
ace_initd requires Crypt::Blowfish, Crypt::CBC and Authen::ACE.
SEE ALSO
Authen::ACE Apache::AuthenSecurID Apache::AuthenSecurID::Auth
AUTHORS
* mod_perl by Doug MacEachern <dougm@osf.org>
* Authen::ACE by Dave Carrigan <Dave.Carrigan@iplenergy.com>
* Apache::AuthenSecurID by David Berk <dberk@lump.org>
* Apache::AuthenSecurID::Auth by David Berk <dberk@lump.org>
* Various changes by Al Tobey <tobert@gmail.com>
COPYRIGHT
ace_initd is free software; you can redistribute it and/or modify it
under the same terms as Perl itself.