[OpenAFS-announce] AFS Webauth Package Available
Thu, 15 Jan 2004 11:08:09 -0500
After seeing some of the recent discussion, I was reminded I needed to
put this package together.
Two summers ago, a student working for us wrote this afs web auth
package. It makes use of php and perl to allow users to authenticate
against AFS and to allow the web server to obtain tokens for these
users (in separate PAGs, of course).
The general idea is that there is a daemon running named tokend. Tokend
keeps track of the authentication sessions and the tokens themselves. A
cookie stored in the web browser is passed to the php/perl scripts
which talk to tokend to get the afs tokens for the user. So, there are
two cookies: the php session cookie, and the afs session cookie.
If you just need to authenticate someone, you can do that with a php
script. However, if you need to do something like working with files in
a user's home directory, that is where perl comes in. The php script
passes off data to a perl script and the perl script will actually use
the token to obtain a pag and do the necessary work.
using pear, install the three php modules in the php directory:
Auth_AFS, CCMR_Auth, XML_RPC (note that the XML_RPC included with php
distros will not work... on my list of things to fix).
install the perl XML_RPC lib (once again, I doubt that other XML_RPCs
would work) located in the perl directory.
start the tokend daemon... it will create /var/run/tokend.sock ... you
will need to chown this socket so that your web server can read/write
to it (we have a start_tokend script that starts tokend and then does
/bin/chown apache /var/runtokend.sock)
Take a look at the examples: in the htdocs directory and the
There is a lot of code that is repetitive. So, what we do is a
require("ccmr_afs_auth.php") in our files that want to use this system.
If you look at that file, you'll see most of the auth code there. So,
in your actual web files, you just check the variable $afsauthed for
either "failure" or a username.
above, I mentioned there were two cookies. The authentication itself is
kept in the php session cookie while the info necessary to get the afs
tokens from tokend is the afs session cookie. Because the php session
cookies are not secure, we also check the validity of the tokens in the
afs session cookie via tokencheck.pl (called from the ccmr_afs_auth.php
script). The AFS session cookies are secure cookies. This extra check
helps to protect the session from being stolen.
Because the afs session cookies are secure cookies, system only works
on https web sites (and you don't want afs passwords being typed in on
non-ssl connections anyway).
In the ccmr_afs_auth.php script, you'll notice we also have some mysql
database code (you should probably comment this out). The purpose of
this code is as follows: we have a special class of users who are
emailed temporary passwords. In the mysql database, we keep track of
whether or not the password has been changed from the emailed temporary
password. So, we do the check, and if not changed, force a password
In the ccmr_afs_auth.php script, you'll need to update the cell name in
the call to new CCMR_AUTH(array(...
Because we are messing with cookies, the require("ccmr_afs_auth.php")
must take place before any php script output. However, if you look in
the script, you'll see a variable named showLogin, set to true. You can
set this to false (before the require), and then call check the result
of mustChngPW to see if a password change is necessary, and call
ChngCCMRPW() to put the password change dialog where you would like.
You can also then check $afsauthed and if authentication is necessary,
call CCMR_Auth_drawLogin() to put the login dialog where you would like
instead of where the ccmr_afs_auth.php script puts it (at the top of
ccmr_afs_auth.php redirects php error output to /tmp/php.log... see
As always, if you find a bug or hole or just would like to add
something, feel free to send me a patch, which I'll look over and then
Send them along to me.
David William Botsch
CCMR Computing Facility