Apache::AuthKrb5Afs is an integrated OpenAFS/Krb5 login for Apache.
This mod_perl module lets Apache acquire OpenAFS and Krb5 tokens for user requests. So, users can access files and scripts on AFS with Apache, using their AFS password. Users can also use DAV to uplaod and download files to AFS as an alternative to FTP or a local AFS client.
This has several benefits:
Users can use AFS access control lists instead of .htaccess files to restrict access to files and scripts.
Users can use DAV as a secure alternative to FTP to access files in AFS. DAV works when a local AFS client is not available.
Apache does not need to run as root to assume a user's AFS rights. No more suEXEC.
Scripts run with the user's Krb5 and AFS identity. Since secure login is built into each request, scripts do not have to implement their own login/access control mechanism. Scripts that connect to Kerberos-awar applications (eg databases like PostgreSQL) can use the web request's Krb5 ticket for access.
HOW IT WORKS
A login script collects a password and user name. The password is passed to kinit to get a Krb5 ticket. The Krb5 ticket is saved in a browser cookie. Subsequent requests use the cookie to locate the Krb5 ticket, renews the ticket, and gets AFS tokens from it using aklog.
Here it is step by step:
· A client accesses an AFS file with Apache.
· If the file is protected, Apache throws a 403 error.
· Apache redirects 403 errors to a login page.
· The login page collects the user's name and password and sends it through Apache::AuthKrb5Afs->login().
· Apache::AuthKrb5Afs uses Auth::Krb5AFS to acquire Krb5 and AFS tokens with the user's password.
· Apache::AuthKrb5Afs saves the Krb5 ticket next to a cookie in a local cache and returns the cookie's session key to the client.
· Note: DAV requests from Windows Explorer ignore cookies and use HTTP Basic authentication exclusively. Apache::AuthKrb5Afs will make a pseudo session key from the client's "Authentication" header and reuse that to find a cached Krb5 ticket.
· The login page redirects the user to the original URL that threw the 403 error.
· The next client request sends the cookie. Apache uses the cookie to find the cached Krb5 ticket, renews the ticket (with kinit), and acquires AFS permissions (with aklog). Apache sets the following environment variables to indicate sucessful login: REMOTE_USER, USER, HOME, SHELL, SESKEY, KRB5CCNAME, AUTH_COOKIE, and AUTH_COOKIE_PATH
· If the URL was a script, it will execute with the user's AFS permissions. The script can check the REMOTE_USER environment variable to confirm that the user logged in. The only way REMOTE_USER will be non-empty is if the user is really authenticated with kerberos.
· If a script requires authentication, it can throw a 403 error to invoke the Apache::AuthKrb5Afs login mechanism.
· Apache's Krb5 ticket can be used with other krb5-aware programs. For example, this will allow an Apache request to access a PostgreSQL database with a user's credentials without passing the user's password again.
· This mod_perl module lets Apache acquire OpenAFS and Krb5 tokens for user requests. So, users can access files and scripts on AFS with Apache, using their AFS password. Users can also use DAV to uplaod and download files to AFS as an alternative to FTP or