Enable authn_cache. - Githubissues

adelton / mod_authnz_pam

Apache module to run PAM authorization on result of other module's authentication; also full Basic Auth PAM provider.

https://www.adelton.com/apache/mod_authnz_pam/

Apache License 2.0

14 stars 9 forks source link

Enable authn_cache. #2

Closed adelton closed 6 years ago

adelton commented 6 years ago

Code adapted based on https://httpd.apache.org/docs/2.4/mod/mod_authn_socache.html#dev http://svn.apache.org/viewvc?view=revision&revision=957072

Untested.

adelton commented 6 years ago

Travis CI fails building on CentOS 6 where there is Apache 2.2.15-69.el6.centos. So at minimum we will have to make this code conditional on 2.2.

schnitzi99 commented 6 years ago

Thanks for the module and your work on that! I added support for caching via socache to the current master and it seems to work so far.

I don't have any programming experience (except playing around some 20 years ago), no experience with github (except git clone ...) and was pretty much muddling through looking at other code examples. So please thoroughly check and correct my adaptions before using / including them. I tried to include the source or a diff to this post, but it doesnt work ("Something went really wrong, and we cant process that file."). Will try to somehow include it in your code.

How does it work: Socache seems to be comparing a cached version (needs to be hashed) of the password with the typed-in-password. Therefore we need to store a salted md5 hash of the password in the socache when authorization was successful. In my (lazy) implementation the salt is predefined - I guess a random salt would be better.

What configuration is necessary: Apache-config needs at least the following (upper case is necessary) for it to work: AuthBasicProvider socache PAM AuthnCacheProvideFor PAM

Tested? Yes. I have an apache 2.4 with mod_authnz_pam and a PAM-setup including pam_shield, pam_abl and pam_mysql which was having problems before due to the rate of access/authentification caused by apache2.4. --> With this adaption surfing on my page causes only one access via PAM and after that socache takes over as long as the cache is not expired. Homepage gets incredibly fast.... :)

schnitzi99 commented 6 years ago

Compiled and tested on debian stretch amd64.

schnitzi99 commented 6 years ago

https://github.com/adelton/mod_authnz_pam/compare/master...schnitzi99:patch-1

schnitzi99 commented 6 years ago

Hope this helps. If you have any questions feel free to ask.

schnitzi99 commented 6 years ago

Did separate pull request.

adelton commented 6 years ago

Fixes https://github.com/adelton/mod_authnz_pam/issues/1.