Creating cookies for mod_authn_tkt
Added by Gasp0de over 4 years ago
Hi,
I want to use mod_authn_tkt for authentication. I use the mod_authn_tkt implementation from https://github.com/gstrauss/lighttpd-mod_authn_tkt and lighty 1.4.54 on linux. I wrote a python script that does the authentication (2factor) and then sets a cookie as described in the Apache mod_auth_tkt README (there doesn't seem to be a description of the cookie format in the mod_authn_tkt repo): http://www.openfusion.com.au/labs/dist/mod_auth_tkt/mod_auth_tkt-2.1.0.tar.gz.
Therefore I create an SHA256 hash of (in this order) secret, 4 byte ip address, 4 byte timestamp, userid, token list (only contains one token).
This results in the following base64 encoded cookie value:
MzgxOWJiOTdjYTcyN2I3MThiM2MzMWZiZjlkMjVkNzA2ZDkzMmFhZmMwNDhlYjNjMGZhZjY1N2QzNDU1NDQzMTVkM2VmYzA1cm9vdCFhZG1pbg==
This decodes to:
b'3819bb97ca727b718b3c31fbf9d25d706d932aafc048eb3c0faf657d345544315d3efc05root!admin'
userid (root), token (admin) and timestamp (5d3efc05 or 1564408837 in decimal) look good. However, mod_authn_tkt keeps redirecting me to the login page even after the cookie is set. Is there any way to enable debug output for mod_authn_tkt to see where my cookie is wrong?
For reproducibility, this is the IP and the shared secret:
192.168.1.212
0fdb903b2d008d810b2cf0309627d886
Thanks for any advice and if this is not the right place to ask about that feel free to delete it and/or give me a tip on where to ask or what to read.
Thank you.
Replies (3)
RE: Creating cookies for mod_authn_tkt - Added by gstrauss over 4 years ago
To help isolate where the issue might be, have you tested without specifying "digest-type" => "SHA256" ? The default is MD5 is the digest type is not specified, so you might test with some easier to produce MD5 digests.
RE: Creating cookies for mod_authn_tkt - Added by Gasp0de over 4 years ago
I did, and I just did again to make sure I did not overlook anything this time. I have tried both my own implementation and an existing implementation for cookie creation (https://github.com/plone/plone.session/blob/master/plone/session/tktauth.py). Using tktauth I can validate my cookie using their validation function, but it is still not accepted by mod_authn_tkt.
When trying to access a protected url, I get a 302 redirect to the login page, not the url specified for timeout or unauth. This is now my ticket when using md5:
6f01585e43c4addfe530a6802127c2b05d401074root!admin!
With my own implementation, I tried leaving out the exclamation mark after admin, as I am unsure if I need it when no user data is specified. However, the plone implementation adds it and from the mod_tkt_auth documentation it seems like it has to be there and only the user data afterwards is optional. I double checked the cookie name, it is auth_tkt, same as in the config file. This is my current config for mod_authn_tkt:
auth.method.tkt.opts = ( "secret" => "0fdb903b2d008d810b2cf0309627d886", "login-url" => "/login/login", "timeout-url" => "/login/login?timeout=1 ", "post-timeout-url" => "/login/login?posttimeout=1", "unauth-url" => "/login/login?unauth=1", "timeout" => "60m", "timeout-refresh" => ".25", "digest-type" => "MD5", # "MD5", "SHA256", or "SHA512" "ignore-ip" => "disable", "require-ssl" => "disable", "cookie-secure" => "disable", "cookie-name" => "auth_tkt", "cookie-expires" => "60m", "back-arg-name" => "back", "back-cookie-name" => "auth_tkt_back", "guest-user" => "guest-%16U", "guest-login" => "disable", "guest-cookie" => "disable", "guest-fallback" => "disable", "tokens" => ("/cgi_bin/webif/user" => ("user"), "shared_docs" => ("user"), "/exchange/test/" => ("admin"), "/cgi-bin/webif/admin/" => ("admin"), "/ss/cgi-bin/webif/admin/" => ("admin"), "/admin/" => ("admin") )
I assume doesn't have anything to do with the tokens or timeouts as I would expect a redirect to the unauth or timeout url then.
RE: Creating cookies for mod_authn_tkt - Added by Gasp0de over 4 years ago
After countless tries that did not work I decided to set up a VM with Apache and Apache's mod_auth_tkt. I thought the debug output that the Apache mod provides could help me identify what I did wrong with my cookie. However, Apache's mod_auth_tkt accepted my cookie without complaints. I assume that lighty's mod_authn_tkt is broken or that the cookie specifications for Apache's mod_auth_tkt have changed and mod_authn_tkt was not updated. I'll try creating a custom fastcgi authorizer instead of using mod_authn_tkt.
P.S.: If at some point someone decides to work on mod_authn_tkt again, a "debug" option like mod_auth_tkt's TKTAuthDebug option might be of great use. mod_authn_tkt keeps redirecting me to the login page when provided the cookie that is accepted by apache mod_auth_tkt and there is no way to find out why (Does it not find the cookie? Does the hash not match?).