Project

General

Profile

Creating cookies for mod_authn_tkt

Added by Gasp0de over 4 years ago

Hi,
I want to use mod_authn_tkt for authentication. I use the mod_authn_tkt implementation from https://github.com/gstrauss/lighttpd-mod_authn_tkt and lighty 1.4.54 on linux. I wrote a python script that does the authentication (2factor) and then sets a cookie as described in the Apache mod_auth_tkt README (there doesn't seem to be a description of the cookie format in the mod_authn_tkt repo): http://www.openfusion.com.au/labs/dist/mod_auth_tkt/mod_auth_tkt-2.1.0.tar.gz.

Therefore I create an SHA256 hash of (in this order) secret, 4 byte ip address, 4 byte timestamp, userid, token list (only contains one token).
This results in the following base64 encoded cookie value:
MzgxOWJiOTdjYTcyN2I3MThiM2MzMWZiZjlkMjVkNzA2ZDkzMmFhZmMwNDhlYjNjMGZhZjY1N2QzNDU1NDQzMTVkM2VmYzA1cm9vdCFhZG1pbg==
This decodes to:
b'3819bb97ca727b718b3c31fbf9d25d706d932aafc048eb3c0faf657d345544315d3efc05root!admin'
userid (root), token (admin) and timestamp (5d3efc05 or 1564408837 in decimal) look good. However, mod_authn_tkt keeps redirecting me to the login page even after the cookie is set. Is there any way to enable debug output for mod_authn_tkt to see where my cookie is wrong?

For reproducibility, this is the IP and the shared secret:
192.168.1.212
0fdb903b2d008d810b2cf0309627d886

Thanks for any advice and if this is not the right place to ask about that feel free to delete it and/or give me a tip on where to ask or what to read.
Thank you.


Replies (3)

RE: Creating cookies for mod_authn_tkt - Added by gstrauss over 4 years ago

To help isolate where the issue might be, have you tested without specifying "digest-type" => "SHA256" ? The default is MD5 is the digest type is not specified, so you might test with some easier to produce MD5 digests.

RE: Creating cookies for mod_authn_tkt - Added by Gasp0de over 4 years ago

I did, and I just did again to make sure I did not overlook anything this time. I have tried both my own implementation and an existing implementation for cookie creation (https://github.com/plone/plone.session/blob/master/plone/session/tktauth.py). Using tktauth I can validate my cookie using their validation function, but it is still not accepted by mod_authn_tkt.
When trying to access a protected url, I get a 302 redirect to the login page, not the url specified for timeout or unauth. This is now my ticket when using md5:

6f01585e43c4addfe530a6802127c2b05d401074root!admin!

With my own implementation, I tried leaving out the exclamation mark after admin, as I am unsure if I need it when no user data is specified. However, the plone implementation adds it and from the mod_tkt_auth documentation it seems like it has to be there and only the user data afterwards is optional. I double checked the cookie name, it is auth_tkt, same as in the config file. This is my current config for mod_authn_tkt:

auth.method.tkt.opts = (
    "secret" => "0fdb903b2d008d810b2cf0309627d886",
    "login-url" => "/login/login",
    "timeout-url" => "/login/login?timeout=1 ",
    "post-timeout-url" => "/login/login?posttimeout=1",
    "unauth-url" => "/login/login?unauth=1",
    "timeout" => "60m",
    "timeout-refresh" => ".25",
    "digest-type" => "MD5",  # "MD5", "SHA256", or "SHA512" 
    "ignore-ip" => "disable",
    "require-ssl" => "disable",
    "cookie-secure" => "disable",
    "cookie-name" => "auth_tkt",
    "cookie-expires" => "60m",
    "back-arg-name" => "back",
    "back-cookie-name" => "auth_tkt_back",
    "guest-user" => "guest-%16U",
    "guest-login" => "disable",
    "guest-cookie" => "disable",
    "guest-fallback" => "disable",
    "tokens" => ("/cgi_bin/webif/user" => ("user"),
                "shared_docs"         => ("user"),
                "/exchange/test/"     => ("admin"),
                "/cgi-bin/webif/admin/" => ("admin"),
                "/ss/cgi-bin/webif/admin/" => ("admin"),
                "/admin/" => ("admin")
               )


I assume doesn't have anything to do with the tokens or timeouts as I would expect a redirect to the unauth or timeout url then.

RE: Creating cookies for mod_authn_tkt - Added by Gasp0de over 4 years ago

After countless tries that did not work I decided to set up a VM with Apache and Apache's mod_auth_tkt. I thought the debug output that the Apache mod provides could help me identify what I did wrong with my cookie. However, Apache's mod_auth_tkt accepted my cookie without complaints. I assume that lighty's mod_authn_tkt is broken or that the cookie specifications for Apache's mod_auth_tkt have changed and mod_authn_tkt was not updated. I'll try creating a custom fastcgi authorizer instead of using mod_authn_tkt.

P.S.: If at some point someone decides to work on mod_authn_tkt again, a "debug" option like mod_auth_tkt's TKTAuthDebug option might be of great use. mod_authn_tkt keeps redirecting me to the login page when provided the cookie that is accepted by apache mod_auth_tkt and there is no way to find out why (Does it not find the cookie? Does the hash not match?).

    (1-3/3)