On Fri, 29 May 1998, David Winkel wrote:
| Or something similar. Honestly, I don't know if the code that we have is
| exportable though I don't know why it wouldn't be, we're just making AFS
| library calls. Marcus Watts might know. It runs here in production, but
| needs a few code tweaks; I'll be working on that next week. (Basically
| it's reliable here, but anything that pages me once a month or more isn't
| reliable enough. Your definition of reliable may vary, I hate getting up
| in the morning.)
We're running Dave's 'authcookie' stuff internally, although I have been
cautious about putting it in production until we were confident there
weren't any hidden surprises. Dave has been responsive to my enhancement
requests and bug fixes, although I'm always leery of running and depending
on software for which support is one busy person who doesn't work for us.
From what I've seen authcookie is probably the best implementation of
the kerberos-to-cookies browser authentication strategies. The apache
module is fairly complete. There are other similar approaches, but they
either don't have an apache module (and thus require CGI programs to do
their own checking and don't deal with .htaccess-style access control
restrictions), or require mod_perl, which I'd prefer not to have to run.
The only thing that I would probably change about authcookie is that is
uses a daemon process to manage the valid cookie database. Given my
druthers I'd probably use a HMAC-style 'signed' cookie instead, which
reduces dependencies on a daemon process which may die. SHA hash
operations are fairly inexpensive.
My $0.02. :-) I'm not complaining.
Dave's done a good job with this. If other folks would use it I'm sure
it could be made even better, and could be more flexible. Accomodating
multiple authentication backends (Kerberos, NIS, etc.) could also be done
fairly easily. I actually use MIT Kerberos instead of AFS Kerberos for
the authentication database for this service...there are no code changes
necessary...just pointing to the right K4 libraries.
-brian
--
Brian W. Spolarich - ANS Communications - [EMAIL PROTECTED] - 734-214-7311
"Not a whit, we defy augury." - Hamlet, V, ii
Re: Authentication for an UNIX aplication with AFS user database
Brian W. Spolarich Sat, 30 May 1998 19:41:18 +0200 (MET DST)
- Authentication for an UNIX aplication with AFS u... Lic. Jose Ramon Fernandez
- Re: Authentication for an UNIX aplication w... David Winkel
- Re: Authentication for an UNIX aplicati... Brian W. Spolarich
- Re: Authentication for an UNIX aplication w... Rick Cochran
