10.5. University of Cambridge 'Raven' authentication

Allocating new user names and passwords for access to sites is a problem. It requires users to remember additional passwords, and requires administrators to create, issue, re-issue and revoke accounts. Worse, basic authentication is insecure in the face of an attacker who can monitor networks. Raven, a central authentication system provided by the Computing Service, attempts to address these issues.

Under Apache, Raven is implemented by ucam_webauth_module, but since this doesn't come with Apache we first need to collect a copy and build it. Building the module requires the apache2-devel and openssl-devel packages which we'll also have to install if they are not already available. We also need a copy of the public key that ucam_webauth_module uses to validate responses from the central Raven server.

Building and installing ucam_webauth_module

  1. Install the apache2-devel and openssl-develpackages

# rug install apache2-devel openssl-devel
    Resolving Dependencies...
    The following packages will be installed:
      apache2-devel 2.2.3-16.2 (SLES10-Updates)
      libapr1-devel 1.2.2-13.2 (SLES10-Base)
        libapr1-devel-1.2.2-13.2.i586[SLES10-Base] needed by apache2-devel...
      libapr-util1-devel 1.2.2-13.2 (SLES10-Base)
        libapr-util1-devel-1.2.2-13.2.i586[SLES10-Base] needed by apache2-...
      openssl-devel 0.9.8a-18.13 (SLES10-Updates)
    Proceed with transaction? (y/N) y
    Downloading Packages...
    Transaction Finished
  2. Building and installing the module

    The Raven module, and other Raven resources, is available from the Raven project pages.

# tar zxf mod_ucam_webauth-1.4.0.tar.gz
    # cd mod_ucam_webauth-1.4.0
    # apxs2 -c -i -lcrypto mod_ucam_webauth.c
    /usr/lib/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic -
    O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=
    2 -g -fPIC -Wall -fno-strict-aliasing -DLDAP_DEPRECATED  -DLINUX=2 -D_
    sr/include/apache2  -I/usr/include   -I/usr/include/apr-1   -c -o mod_
    ucam_webauth.lo mod_ucam_webauth.c && touch mod_ucam_webauth.slo
    /usr/lib/apr-1/build/libtool --silent --mode=link gcc -o mod_ucam_webaut
    h.la  -lcrypto -rpath /usr/lib/apache2 -module -avoid-version    mod_uca
    /usr/share/apache2/build/instdso.sh SH_LIBTOOL='/usr/lib/apr-1/build/lib
    tool' mod_ucam_webauth.la /usr/lib/apache2
    /usr/lib/apr-1/build/libtool --mode=install cp mod_ucam_webauth.la /usr/
    cp .libs/mod_ucam_webauth.so /usr/lib/apache2/mod_ucam_webauth.so
    cp .libs/mod_ucam_webauth.lai /usr/lib/apache2/mod_ucam_webauth.la
    cp .libs/mod_ucam_webauth.a /usr/lib/apache2/mod_ucam_webauth.a
    ranlib /usr/lib/apache2/mod_ucam_webauth.a
    chmod 644 /usr/lib/apache2/mod_ucam_webauth.a
    PATH="$PATH:/sbin" ldconfig -n /usr/lib/apache2
    Libraries have been installed in:
    If you ever happen to want to link against installed libraries
    in a given directory, LIBDIR, you must either use libtool, and
    specify the full pathname of the library, or use the `-LLIBDIR'
    flag during linking and do at least one of the following:
       - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
         during execution
       - add LIBDIR to the `LD_RUN_PATH' environment variable
         during linking
       - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
       - have your system administrator add LIBDIR to `/etc/ld.so.conf'
    See any operating system documentation about shared libraries for
    more information, such as the ld(1) and ld.so(8) manual pages.
    chmod 755 /usr/lib/apache2/mod_ucam_webauth.so
  3. Installing the Raven key

    Raven uses Public Key Cryptography to prevent replies from the central servers from being forged. To validate these replies, ucam_webauth_module needs access to the current Raven public key.

# mkdir /etc/apache2/webauth_keys
    # cp pubkey2 /etc/apache2/webauth_keys

ucam_webauth_module is configured much like other authentication modules. It relied on the services of the standard authz_user_module for to control user access and on authz_groupfile_module for group file support so you must load them as well. ucam_webauth_module also needs a random string to validate cookies that it sets so you must provide that as well.

LoadModule      authz_user_module      /usr/lib/apache2/mod_authz_user.so
LoadModule      authz_groupfile_module /usr/lib/apache2/mod_authz_groupfile.so

LoadModule      ucam_webauth_module    /usr/lib/apache2/mod_ucam_webauth.so
AACookieKey     "now is the time for all good chickens to be counted"
AAKeyDir        /etc/apache2/webauth_keys

<Directory /srv/www/WWW/bestiary>
  AuthType      Ucam-WebAuth
  AuthGroupFile /etc/apache2/access/group
  Require       group managers

Syntax summary: implementing Raven

AACookieKey "some string"

A random key used to protect cookies from tampering. Any unpredictable string is fine. This key must be kept secret, since with knowledge of the key an attacker can forge authentication.

AAKeyDir path

Pathname of a directory containing the public keys used by ucam_webauth_module. In many cases this defaults to something sensible under /etc/apache2; this isn't the case with SLES's Apache build.

AuthType Ucam-WebAuth

Selects Raven authentication.