[OpenAFS-announce] AFS Webauth Package Available

David Botsch dwb7@ccmr.cornell.edu
Thu, 15 Jan 2004 11:08:09 -0500

After seeing some of the recent discussion, I was reminded I needed to 
put this package together.

Two summers ago, a student working for us wrote this afs web auth 
package. It makes use of php and perl to allow users to authenticate 
against AFS and to allow the web server to obtain tokens for these 
users (in separate PAGs, of course).

The general idea is that there is a daemon running named tokend. Tokend 
keeps track of the authentication sessions and the tokens themselves. A 
cookie stored in the web browser is passed to the php/perl scripts 
which talk to tokend to get the afs tokens for the user. So, there are 
two cookies: the php session cookie, and the afs session cookie.

If you just need to authenticate someone, you can do that with a php 
script. However, if you need to do something like working with files in 
a user's home directory, that is where perl comes in. The php script 
passes off data to a perl script and the perl script will actually use 
the token to obtain a pag and do the necessary work.

To install:

using pear, install the three php modules in the php directory: 
Auth_AFS, CCMR_Auth, XML_RPC (note that the XML_RPC included with php 
distros will not work... on my list of things to fix).

install the perl XML_RPC lib (once again, I doubt that other XML_RPCs 
would work) located in the perl directory.

start the tokend daemon... it will create /var/run/tokend.sock ... you 
will need to chown this socket so that your web server can read/write 
to it (we have a start_tokend script that starts tokend and then does 
/bin/chown apache /var/runtokend.sock)


Take a look at the examples: in the htdocs directory and the 
showtokens.pl script

There is a lot of code that is repetitive. So, what we do is a 
require("ccmr_afs_auth.php") in our files that want to use this system. 
If you look at that file, you'll see most of the auth code there. So, 
in your actual web files, you just check the variable $afsauthed for 
either "failure" or a username.

other notes:
above, I mentioned there were two cookies. The authentication itself is 
kept in the php session cookie while the info necessary to get the afs 
tokens from tokend is the afs session cookie. Because the php session 
cookies are not secure, we also check the validity of the tokens in the 
afs session cookie via tokencheck.pl (called from the ccmr_afs_auth.php 
script). The AFS session cookies are secure cookies. This extra check 
helps to protect the session from being stolen.

Because the afs session cookies are secure cookies, system only works 
on https web sites (and you don't want afs passwords being typed in on 
non-ssl connections anyway).

In the ccmr_afs_auth.php script, you'll notice we also have some mysql 
database code (you should probably comment this out). The purpose of 
this code is as follows: we have a special class of users who are 
emailed temporary passwords. In the mysql database, we keep track of 
whether or not the password has been changed from the emailed temporary 
password. So, we do the check, and if not changed, force a password 

In the ccmr_afs_auth.php script, you'll need to update the cell name in 
the call to new CCMR_AUTH(array(...

Because we are messing with cookies, the require("ccmr_afs_auth.php") 
must take place before any php script output. However, if you look in 
the script, you'll see a variable named showLogin, set to true. You can 
set this to false (before the require), and then call check the result 
of mustChngPW to see if a password change is necessary, and call 
ChngCCMRPW() to put the password change dialog where you would like. 
You can also then check $afsauthed and if authentication is necessary, 
call CCMR_Auth_drawLogin() to put the login dialog where you would like 
instead of where the ccmr_afs_auth.php script puts it (at the top of 
your page).

ccmr_afs_auth.php redirects php error output to /tmp/php.log... see 
first line


As always, if you find a bug or hole or just would like to add 
something, feel free to send me a patch, which I'll look over and then 


Send them along to me.


file is:
David William Botsch
Consultant/Advisor II
CCMR Computing Facility