Apache mod_auth_tkt

Current version: mod_auth_tkt 2.1.0

Introduction

mod_auth_tkt is a lightweight single-sign-on authentication module for apache, supporting versions 1.3.x, 2.0.x, and 2.2.x. It uses secure cookie-based tickets to implement a single-signon framework that works across multiple apache instances and servers.

mod_auth_tkt itself is completely repository-agnostic, as the actual authentication is done by a user-supplied CGI or script in your language of choice (examples are provided in Perl, with contrib libraries for use with python and PHP). This allows authentication against virtually any kind of user repository you can imagine (password files, ldap directories, databases, etc.)

mod_auth_tkt supports inactivity timeouts (including the ability to control how aggressively the ticket is refreshed), the ability to include arbitrary user data within the cookie, configurable cookie names and domains, and token-based access to subsections of a site.

mod_auth_tkt works by checking incoming Apache requests for a (user-defined) cookie containing a valid authentication ticket. The ticket is checked by generating an MD5 checksum for the username and any (optional) user data from the ticket together with the requesting IP address and a shared secret available to the server. If the generated MD5 checksum matches the ticket's checksum, the ticket is valid and the request is authorised. Requests without a valid ticket are redirected to a configurable URL which is expected to validate the user and generate a ticket for them. This package includes a Perl module and working CGI scripts for generating the cookies, as well as contributed classes for PHP and Python environments.

Features

The mod_auth_tkt scheme has a number of advantages over alternative authentication schemes:

Advantages

  1. Usable on any apache webserver: because it's written in C using only the Apache C API, mod_auth_tkt should be usable on the simplest stripped down Apache server - no mod_perl, mod_php, or servlets required. mod_auth_tkt's only requirement is that the Apache supports DSO (Dynamic Shared Objects).

  2. Single-signon across Apaches and machines, including mixed environments: mod_auth_tkt enables a user to login once and then be seamlessly authorised across multiple Apaches or machines. Mixed environments work fine too - lightweight static HTML Apache with heavier mod_perl/mod_php/servlet enabled Apache, or a mixed Unix/Windows environment. Only requirement is a shared secret across all the servers.

  3. Pluggable authentication and authorisation: mod_auth_tkt hands off the authentication and authorisation problem to the URL of your choice. This means that you can use whatever technology (CGI, Perl, PHP, ASP, Java etc.) and whatever repositories (passwd files, LDAP, NIS, RDBMS, radius, or any combination thereof) you like - as long as the authorising page or script generates a valid ticket for a valid user everything should work just fine.

  4. Drop-in replacement for Basic Authentication: mod_auth_tkt sets the Basic Authentication REMOTE_USER environment variable on authorised requests, so that existing scripts that work with Basic Authentication should work unchanged in a mod_auth_tkt environment.

  5. No server-side storage requirements: because cookies are basically a client-side storage technology, there are no storage requirements on the server side - no session database is required (although you're free to use one if it already exists).

  6. Cross-domain authentication support: (as of version 1.3.8) although cookies are domain specific, the newest version of mod_auth_tkt allows initial tickets to be passed via URLs, allowing single-signon across completely unrelated domains (www.foo.com and www.bar.com).

Disadvantages

  1. Requires cookies: browsers without cookie support will never have a valid ticket and will therefore never be authorised by mod_auth_tkt. There are no current plans to support non-cookie-based authentication.

Download

RPM packages can also be built from the tarball:

rpmbuild -tb mod_auth_tkt-2.1.0.tar.gz

Mailing List

The modauthtkt-users mailing list is available for general mod_auth_tkt discussion, courtesy of sourceforge:

Licence

mod_auth_tkt is licensed under the terms of the Apache License of the Apache Software Foundation.