Login form and OTP integration

[shaohme]

Just a suggestion;
Would it be overkill to integrate a login form instead of just basic auth fallback, and support OTP from MIT KRB5 in same auth form?

[simo5]

Not overkill but there are other modules that can do that and circle back to mod_auth_gssapi.
This is some work we have done in the freipa project to transition from x509 auth to have a krb ticket:
http://www.freeipa.org/page/V4/External_Authentication
I would probably use a similar approach rather than trying to bake in a form login method, espceially because the main mantra of mod_auth_gssapi is that it uses exclusively gssapi and never krb5 directly.

[shaohme]

I'm not sure how the circle back would work. For instance, MAG doesn't seem to register as a authnz provider for use in mod_auth_form...

[simo5]

@adelton can you comment on the above idea ?

[adelton]

@shaohme, could you provide some mod_auth_form configuration that you envision to be used with the OTP setup?

[shaohme]

@adelton The current mod_auth_form code doesn't seem to be able to handle it.

I was thinking about modifying or forking the code to be able to take httpd_username, httpd_password, and https_otp optional, or maybe N times httpd_ variables. These variables gets passed along to modules who needs them.

Either these variables needs to be presented all on one HTML form, or username + password on one HTML page, and OTP input on another page. This because MIT-KRB5 first need a FAST established, then asks for principal, then the OTP challenge.
Below is a very early draft of apache config:

<Location /auth>
    AuthType form
    AuthFormProvider gssapi
    AuthFormRoundsUrl http://host/auth
    AuthFormRounds 0:httpd_username,httpd_password,1:httpd_otp,2:httpd_foo,httpd_bar
</Location>

mod_auth_form keeps a state of where the client are in the auth process locally (by cookie's perhaps?), and redirects the user to the next url, perhaps with query (/auth?stage=[0,1,2,3....]), on which she submits the next load of values, until the process is done.

[iboukris]

I think it would be nice if we expose our basic-auth API as an authentication provider by implementing a check_password() function and registering it via ap_register_auth_provider(AUTHN_PROVIDER_GROUP).

This will allow it to be use as a parameter to AuthFormProvider and also allow it to be stacked along with other basic authentication providers in AuthBasicProvider directive (and perhaps other advantages such as alternative caching via mod_authn_socache).

As regarding additional OTP, I think it could be provided via other config / module directly.

[adelton]

In general, mod_intercept_form_submit (via mod_authnz_pam), with fallback to mod_auth_gssapi, would likely provide reasonable solution.

[simo5]

PR #151 seem to implement what @Frenche suggested, it needs some polishing but should give at least basic auth.