# $Id: README,v 1.4 2002/07/31 16:43:55 Administrator Exp $
In order to install and use this package you will need Perl version
5.004 or better, mod_perl Crypt::CBC, Crypt::Blowfish and Authen::ACE.
Installation as usual:
perl Makefile.PL
make
make test
make install
There are three components to Apache::AuthenSecurID.
Apache::AuthenSecurID
Apache::AuthenSecurID::Auth
ace_initd
Apache::AuthenSecurID(3)curID(3)
NAME
Apache::AuthenSecurID - Authentication via a SecurID
server
SYNOPSIS
# Configuration in httpd.conf or access.conf
PerlModule Apache::AuthenSecurID
<Location /secure/directory>
AuthName SecurID
AuthType Basic
PerlAuthenHandler Apache::AuthenSecurID
PerlSetVar AuthCryptKey Encryption_Key
PerlSetVar AuthCookie Name_of_Authentication_Cookie
PerlSetVar AuthUserCookie Name_of_Username_Authentication_Cookie
PerlSetVar AuthCookiePath /path/of/authentication/cookie
PerlSetVar AuthCookieTimeOut 30
PerlSetVar Auth_Handler /path/of/authentication/handler
require valid-user
</Location>
DESCRIPTION
This module allows authentication against a SecurID
server. It detects whether a user has a valid encrypted
cookie containing their username and last activity time
stamp. If the cookie is valid the module will change the
activity timestamp to the present time, encrypt and send
the cookie. If the cookie is not valid the module will
redirect to the authentication handler to prompt for
username and passcode.
LIST OF TOKENS
o AuthCryptKey
The Blowfish key used to encrypt and decrypt the
authentication cookie. It defaults to my secret if
this variable is not set.
o AuthCookie
The name of the of cookie to be set for the
authentication token. It defaults to SecurID if
this variable is not set.
o AuthUserCookie
The name of the of cookie that contains the value
of the persons username in plain text. This is
checked against the contents of the encrypted
cookie to verify user. The cookie is set of other
applications can identify authorized users. It
defaults to SecurID_User if this variable is not
set.
o AuthCookiePath
The path of the of cookie to be set for the
authentication token. It defaults to / if this
variable is not set.
o AuthCookieTimeOut
The time in minute a cookie is valid for. It is
not recommended to set below 5. It defaults to 30
if this variable is not set.
o Auth_Handler
The path of authentication handler. This is the
URL which request with invalid cookie are
redirected to. The handler will prompt for
username and passcode. It does the actual
authentication and sets the initial cookie. This
mechanism is used instead of get_basic_auth_pw
because get_basic_auth_pw will do multiple
authentication attempt on pages that contain
frames. The ACE server will deny simultaneous
authentication attempts since it considers this a
type of attack. It defaults to /ace_init if this
variable is not set. Please see
Apache::AuthenSecurID::Auth to properly configure
this functionality.
CONFIGURATION
The module should be loaded upon startup of the Apache
daemon. Add the following line to your httpd.conf:
PerlModule Apache::AuthenSecurID
PREREQUISITES
For AuthenSecurID you need to enable the appropriate call-
back hook when making mod_perl:
perl Makefile.PL PERL_AUTHEN=1
AuthenSecurID requires Crypt::Blowfish and Crypt::CBC.
SEE ALSO
the Apache manpage, the mod_perl manpage, the Authen::ACE
manpage the Apache::AuthenSecurID::Auth manpage
AUTHORS
o mod_perl by Doug MacEachern <
[email protected]>
o Authen::ACE by Dave Carrigan
<
[email protected]>
o Apache::AuthenSecurID by David Berk <
[email protected]>
COPYRIGHT
The Apache::AuthenSecurID module is free software; you can
redistribute it and/or modify it under the same terms as
Perl itself.
Apache::AuthenSecurID::Auth(3)curID::Auth(3)
NAME
Apache::AuthenSecurID::Auth - Authentication handler for
Apache::AuthenSecurID
SYNOPSIS
# Configuration in httpd.conf
<Location /path/of/authentication/handler>
SetHandler perl-script
PerlHandler Apache::AuthenSecurID::Auth
PerlSetVar AuthCryptKey Encryption_Key
PerlSetVar AuthCookie Name_of_Authentication_Cookie
PerlSetVar AuthUserCookie Name_of_Username_Authentication_Cookie
PerlSetVar AuthCookiePath /path/of/authentication/cookie
PerlSetVar AuthApacheCookie Apache_Cookie
PerlSetVar ace_initd_server name.of.ace.handler.server.com
PerlSetVar ace_initd_port 1969
</Location>
DESCRIPTION
This module allows authentication against a SecurID
server. A request is redirected to this handler if the
authentication cookie does not exist or is no longer
valid. The handler will prompt for username and passcode.
It will then construct and encrypt a UDP packet and send
it to the Ace request daemon. This is necessary since
libsdiclient.a needs to persist for NEXT TOKEN MODE and
SET PIN MODE. If the authentication is valid an encrypted
Authentication Cookie is set and the request is redirected
to the originating URI. If the user needs to enter NEXT
TOKEN or set their PIN they will be prompted to do so and
if valid the request is then redirected to the originating
URI.
LIST OF TOKENS
o AuthCryptKey
The Blowfish key used to encrypt and decrypt the
authentication cookie. It defaults to my secret if
this variable is not set.
o AuthCookie
The name of the of cookie to be set for the
authentication token. It defaults to SecurID if
this variable is not set.
o AuthUserCookie
The name of the of cookie that contains the value
of the persons username in plain text. This is
checked against the contents of the encrypted
cookie to verify user. The cookie is set of other
applications can identify authorized users. It
defaults to SecurID_User if this variable is not
set.
o AuthCookiePath
The path of the of cookie to be set for the
authentication token. It defaults to / if this
variable is not set.
o AuthApacheCookie
The name of the mod_usertrack cookie. The
mod_usertrack module must be compile and enabled in
order to track user sessions. This is set by the
CookieName directive in httpd.conf. It defaults to
Apache if this variable is not set.
o ace_initd_server
The name of the server running the ACE request
daemon. This daemon is the actual process that
communicates with the ACE Server. If the user is
in NEXT TOKEN MODE due to repeated failures or SET
PIN MODE the Authen::ACE object must persist beyond
the initial request. A request packet is
constructed with a random number, type of
transaction, username, passcode and session
identifier. The request packet is then encrypted
using Blowfish and sent to the ACE request daemon.
The ACE request daemon decrypts and parses the
packet. The request if forwarded to the ACE server
and the response is sent back to the handler. The
random number originally sent is returned to
prevent attacks. It defaults to localhost if this
variable is not set.
o ace_initd_port
The port the that the Ace request daemon listens
on. It defaults to 1969 if this variable is not
set.
CONFIGURATION
The module should be loaded upon startup of the Apache
daemon. Add the following line to your httpd.conf:
PerlModule Apache::AuthenSecurID::Auth
PREREQUISITES
For AuthenSecurID::Auth you need to enable the appropriate
call-back hook when making mod_perl:
perl Makefile.PL PERL_AUTHEN=1
AuthenSecurID::Auth requires Crypt::Blowfish and
Crypt::CBC.
For AuthenSecurID::Auth to properly track users
mod_usertrack must be compiled and enabled.
SEE ALSO
the Apache manpage, the mod_perl manpage, the Authen::ACE
manpage the Apache::AuthenSecurID::Auth manpage
AUTHORS
o mod_perl by Doug MacEachern <
[email protected]>
o Authen::ACE by Dave Carrigan
<
[email protected]>
o Apache::AuthenSecurID by David Berk <
[email protected]>
o Apache::AuthenSecurID::Auth by David Berk
<
[email protected]>
COPYRIGHT
The Apache::AuthenSecurID::Auth module is free software;
you can redistribute it and/or modify it under the same
terms as Perl itself.
ACE_INITD(1) User Contributed Perl Documentation ACE_INITD(1)
NAME
ace_initd - ACE Authentication daemon for
Apache::AuthenSecurID::Auth
SYNOPSIS
# Configuration in /etc/ace_initd.conf
VAR_ACE /the/ace/data/directory
port 1969
AuthCryptKey Encryption_Key
syslog local2
DESCRIPTION
This daemon handles the ACE authentication requests for
the Apache::SecurID::Auth module. It is a single
threaded, single fork server that listens on a specified
UDP port. Incoming requests are decrypted and requests
forwarded to the ACE server. If a specific request is in
either in NEXT TOKEN MODE or SET PIN MODE the Authen::ACE
object is not deleted. It is instead kept in memory to
handle those specific requests later.
LIST OF TOKENS
o VAR_ACE
Specifies the location of the sdconf.rec file. It
defaults to /opt/ace/data if this variable is not
set.
o AuthCryptKey
The Blowfish key used to encrypt and decrypt the
authentication cookie. It defaults to my secret if
this variable is not set.
o ace_initd_port
The port the that the Ace request daemon listens
on. It defaults to 1969 if this variable is not
set.
o syslog
The syslog facility ace_initd logs to. It defaults
to local2 if this variable is not set.
CONFIGURATION
Either run from the command line;
prompt$ nohup ./ace_initd &
or write the appropriate scripts in the /etc/rc
directories.
PREREQUISITES
ace_initd requires Crypt::Blowfish, Crypt::CBC and
Authen::ACE.
SEE ALSO
the Authen::ACE manpage the Apache::AuthenSecurID manpage
the Apache::AuthenSecurID::Auth manpage
AUTHORS
o mod_perl by Doug MacEachern <
[email protected]>
o Authen::ACE by Dave Carrigan
<
[email protected]>
o Apache::AuthenSecurID by David Berk <
[email protected]>
o Apache::AuthenSecurID::Auth by David Berk
<
[email protected]>
COPYRIGHT
ace_initd is free software; you can redistribute it and/or
modify it under the same terms as Perl itself.
Copyright 2001, David Berk <
[email protected]>
The Apache::AuthenSecurID module is free software; you can redistribute
it and/or modify it under the same terms as Perl itself.
