Allocating new user names and passwords for access to sites is a problem. It requires users to remember additional passwords, and requires administrators to create, issue, re-issue and revoke accounts. Worse, basic authentication is insecure in the face of an attacker who can monitor networks. Raven, a central authentication system provided by the Computing Service, attempts to address these issues.
Under Apache, Raven is implemented by ucam_webauth_module, but since this doesn't come with Apache we first need to collect a copy and build it. Building the module requires the apache2-devel and openssl-devel packages which we'll also have to install if they are not already available. We also need a copy of the public key that ucam_webauth_module uses to validate responses from the central Raven server.
Building and installing ucam_webauth_module
Install the apache2-devel and openssl-develpackages
# rug install apache2-devel openssl-devel Resolving Dependencies... The following packages will be installed: apache2-devel 2.2.3-16.2 (SLES10-Updates) libapr1-devel 1.2.2-13.2 (SLES10-Base) libapr1-devel-1.2.2-13.2.i586[SLES10-Base] needed by apache2-devel... libapr-util1-devel 1.2.2-13.2 (SLES10-Base) libapr-util1-devel-1.2.2-13.2.i586[SLES10-Base] needed by apache2-... openssl-devel 0.9.8a-18.13 (SLES10-Updates) Proceed with transaction? (y/N) y Downloading Packages... Transaction... Transaction Finished
Building and installing the module
The Raven module, and other Raven resources, is available from the Raven project pages.
# tar zxf mod_ucam_webauth-1.4.0.tar.gz # cd mod_ucam_webauth-1.4.0 # apxs2 -c -i -lcrypto mod_ucam_webauth.c /usr/lib/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic - O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE= 2 -g -fPIC -Wall -fno-strict-aliasing -DLDAP_DEPRECATED -DLINUX=2 -D_ REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread -I/u sr/include/apache2 -I/usr/include -I/usr/include/apr-1 -c -o mod_ ucam_webauth.lo mod_ucam_webauth.c && touch mod_ucam_webauth.slo /usr/lib/apr-1/build/libtool --silent --mode=link gcc -o mod_ucam_webaut h.la -lcrypto -rpath /usr/lib/apache2 -module -avoid-version mod_uca m_webauth.lo /usr/share/apache2/build/instdso.sh SH_LIBTOOL='/usr/lib/apr-1/build/lib tool' mod_ucam_webauth.la /usr/lib/apache2 /usr/lib/apr-1/build/libtool --mode=install cp mod_ucam_webauth.la /usr/ lib/apache2/ cp .libs/mod_ucam_webauth.so /usr/lib/apache2/mod_ucam_webauth.so cp .libs/mod_ucam_webauth.lai /usr/lib/apache2/mod_ucam_webauth.la cp .libs/mod_ucam_webauth.a /usr/lib/apache2/mod_ucam_webauth.a ranlib /usr/lib/apache2/mod_ucam_webauth.a chmod 644 /usr/lib/apache2/mod_ucam_webauth.a PATH="$PATH:/sbin" ldconfig -n /usr/lib/apache2 ---------------------------------------------------------------------- Libraries have been installed in: /usr/lib/apache2 If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the `-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the `LD_LIBRARY_PATH' environment variable during execution - add LIBDIR to the `LD_RUN_PATH' environment variable during linking - use the `-Wl,--rpath -Wl,LIBDIR' linker flag - have your system administrator add LIBDIR to `/etc/ld.so.conf' See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. ---------------------------------------------------------------------- chmod 755 /usr/lib/apache2/mod_ucam_webauth.so
Installing the Raven key
Raven uses Public Key Cryptography to prevent replies from the central servers from being forged. To validate these replies, ucam_webauth_module needs access to the current Raven public key.
# mkdir /etc/apache2/webauth_keys # cp pubkey2 /etc/apache2/webauth_keys
ucam_webauth_module is configured much like other authentication modules. It relied on the services of the standard authz_user_module for to control user access and on authz_groupfile_module for group file support so you must load them as well. ucam_webauth_module also needs a random string to validate cookies that it sets so you must provide that as well.
LoadModule authz_user_module /usr/lib/apache2/mod_authz_user.so LoadModule authz_groupfile_module /usr/lib/apache2/mod_authz_groupfile.so LoadModule ucam_webauth_module /usr/lib/apache2/mod_ucam_webauth.so AACookieKey "now is the time for all good chickens to be counted" AAKeyDir /etc/apache2/webauth_keys <Directory /srv/www/WWW/bestiary> AuthType Ucam-WebAuth AuthGroupFile /etc/apache2/access/group Require group managers </Directory>
Syntax summary: implementing Raven
A random key used to protect cookies from tampering. Any unpredictable string is fine. This key must be kept secret, since with knowledge of the key an attacker can forge authentication.
Pathname of a directory containing the public keys used by ucam_webauth_module. In many cases this defaults to something sensible under /etc/apache2; this isn't the case with SLES's Apache build.
Selects Raven authentication.