[mod_pubcookie/el6/master] initial commit
Gabriel L. Somlo
somlo at fedoraproject.org
Wed Oct 6 00:23:39 UTC 2010
commit b53f7c315826014c7d6d7d4af8ef01e3992a3536
Author: Gabriel L. Somlo <somlo at saigon.ini.cmu.edu>
Date: Tue Oct 5 20:23:41 2010 -0400
initial commit
.gitignore | 1 +
key.config | 42 ++++
keyclient.8 | 63 ++++++
keyserver.8 | 40 ++++
keyserver.xinetd | 13 ++
mod_pubcookie.spec | 98 +++++++++
modpubcookie.conf | 442 ++++++++++++++++++++++++++++++++++++++
pubcookie-3.3.3-installdir.patch | 176 +++++++++++++++
pubcookie_login.conf | 28 +++
sources | 1 +
10 files changed, 904 insertions(+), 0 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e69de29..dab12ef 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/pubcookie-3.3.4a.tar.gz
diff --git a/key.config b/key.config
new file mode 100644
index 0000000..02107f1
--- /dev/null
+++ b/key.config
@@ -0,0 +1,42 @@
+# entries applicable to both keyclient and keyserver:
+#####################################################
+
+keymgt_uri: https://pubcookie.example.edu:2222
+ssl_key_file: /etc/pki/tls/private/localhost.key
+ssl_cert_file: /etc/pki/tls/certs/localhost.crt
+ssl_ca_file: /etc/pki/tls/certs/server-chain.crt
+
+# entries specific to keyserver only:
+# (uncomment, editing as needed)
+#####################################
+
+######################################
+# ATTENTION: On the server, please make sure the file pointed to by the
+# 'ssl_key_file' statement is owned by the user running the web server
+# (e.g., 'apache' on Fedora). By default, that file may be owned by root
+# and read before httpd switches UIDs to 'apache', but then pubcookie's
+# 'index.cgi' script will not be able to read it !
+######################################
+
+# login server config
+#login_uri: https://pubcookie.example.edu/login_demo/
+#login_host: pubcookie.example.edu
+#enterprise_domain: .example.edu
+#logout_prog: /logout/index.cgi
+
+# keyserver config
+#keyserver_client_list: login.example.edu trusted.example.edu
+
+# the credential verifier used by the basic flavor
+#basic_verifier: alwaystrue
+
+# granting keypair:
+#granting_key_file: /etc/pki/tls/private/localhost.key
+#granting_cert_file: /etc/pki/tls/certs/localhost.crt
+
+# 1 is a good starting point
+#logging_level: 1
+
+# site-specific policies
+#default_l_expire: 8h
+#form_expire_time: 120
diff --git a/keyclient.8 b/keyclient.8
new file mode 100644
index 0000000..d91dd91
--- /dev/null
+++ b/keyclient.8
@@ -0,0 +1,63 @@
+.TH "keyclient" "8" "" ""
+
+.SH "NAME"
+keyclient \- generate and distribute keys on behalf of Pubcookie.
+
+.SH "SYNOPSIS"
+.IP "\fBkeyclient [options]\fP"
+Download host key from the keyserver\&.
+.IP "\fBkeyclient -P <host> [options]\fP"
+Allow <host> to also access the keyserver\&.
+.IP "\fBkeyclient -U <cert file> [options]\fP"
+Upload <cert file> to the keyserver\&.
+.IP "\fBkeyclient -G <gcert file> [options]\fP"
+Download granting certificate from the keyserver, and write it to <gcert file>\&.
+
+.SH "DESCRIPTION"
+\fBkeyclient\fP is used by participating Pubcookie application servers to securely request keys from the login server's keyserver component\&.
+
+.SH "OPTIONS"
+.IP "\fB\-f <config file>\fP"
+Use alternate configuration file\&.
+.IP "\fB\-K <URI>\fP"
+URI of key management server (running keyserver)\&.
+.IP "\fB\-k <key file>\fP"
+Key to use for TLS authentication\&.
+.IP "\fB\-a\fP"
+Expect key file in ASN.1 format\&.
+.IP "\fB\-p\fP"
+Expect key file in PEM format (default)\&.
+.IP "\fB\-c <cert file>\fP"
+Certificate to use for TLS authentication\&.
+.IP "\fB\-C <cert file>\fP"
+CA certificate to use for client verification\&.
+.IP "\fB\-D <CA directory>\fP"
+Directory of trusted CAs, hashed OpenSSL-style\&.
+.IP "\fB\-H <host name>\fP"
+Specify requesting host name. Useful when the application server uses a wildcard certificate (CN is *.subdomain.example.edu), or if the application server host name is one of several in the certificate's Subject Alt Name field\&.
+.IP "\fB\-K <URI>\fP"
+Directory of trusted CAs, hashed OpenSSL-style\&.
+.IP "\fB\-d\fP"
+Download existing, rather than generating new host key\&.
+.IP "\fB\-u\fP"
+Upload local host key to keyserver\&.
+.IP "\fB\-n\fP"
+Just show what would be done\&.
+.IP "\fB\-q\fP"
+Quiet mode\&.
+
+
+.PP
+.SH "FILES"
+.nf
+/etc/pubcookie/config
+.fi
+
+.PP
+.SH "SEE ALSO"
+.nf
+.I keyserver (8)
+.I xinetd (8)
+.I openssl (1)
+/usr/share/doc/mod_pubcookie*/doc/*.html
+.fi
diff --git a/keyserver.8 b/keyserver.8
new file mode 100644
index 0000000..f4b661d
--- /dev/null
+++ b/keyserver.8
@@ -0,0 +1,40 @@
+.TH "keyserver" "8" "" ""
+
+.SH "NAME"
+keyserver \- generate and distribute keys on behalf of Pubcookie.
+
+.SH "SYNOPSIS"
+Usage: \fBkeyserver\fP [options]
+
+.SH "DESCRIPTION"
+\fBkeyserver\fP is the Pubcookie component which generates and distributes symmetric encryption keys for participating servers, which includes the login server and all application servers\&. \fBkeyserver\fP is designed to run as a service under inetd or xinetd\&.
+
+.SH "OPTIONS"
+All options override the values in the configuration file\&.
+.IP "\fB\-k <key file>\fP"
+Key to use for TLS authentication\&.
+.IP "\fB\-a\fP"
+Expect key file in ASN.1 format\&.
+.IP "\fB\-p\fP"
+Expect key file in PEM format (default)\&.
+.IP "\fB\-c <cert file>\fP"
+Certificate to use for TLS authentication\&.
+.IP "\fB\-C <cert file>\fP"
+CA certificate to use for client verification\&.
+.IP "\fB\-D <CA directory>\fP"
+Directory of trusted CAs, hashed OpenSSL-style\&.
+
+.PP
+.SH "FILES"
+.nf
+/etc/pubcookie/config
+.fi
+
+.PP
+.SH "SEE ALSO"
+.nf
+.I keyclient (8)
+.I xinetd (8)
+.I openssl (1)
+/usr/share/doc/mod_pubcookie*/doc/*.html
+.fi
diff --git a/keyserver.xinetd b/keyserver.xinetd
new file mode 100644
index 0000000..ac20069
--- /dev/null
+++ b/keyserver.xinetd
@@ -0,0 +1,13 @@
+# Description: pubcookie keyserver
+service keyserver
+{
+ type = UNLISTED
+ protocol = tcp
+ port = 2222
+ disable = yes
+ socket_type = stream
+ wait = no
+ user = root
+ group = tty
+ server = /usr/sbin/keyserver
+}
diff --git a/mod_pubcookie.spec b/mod_pubcookie.spec
new file mode 100644
index 0000000..cbecf93
--- /dev/null
+++ b/mod_pubcookie.spec
@@ -0,0 +1,98 @@
+Name: mod_pubcookie
+Version: 3.3.4a
+Release: 2%{?dist}
+Summary: A solution for single sign-on authentication to websites
+License: ASL 2.0
+Group: System Environment/Daemons
+Url: http://pubcookie.org
+Source0: http://pubcookie.org/downloads/pubcookie-%{version}.tar.gz
+Source1: key.config
+Source2: modpubcookie.conf
+Source3: pubcookie_login.conf
+Source4: keyserver.xinetd
+Source5: keyclient.8
+Source6: keyserver.8
+Patch0: pubcookie-3.3.3-installdir.patch
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: httpd-devel openssl-devel openldap-devel krb5-devel
+Requires: mod_ssl
+
+%description
+A standalone login server and modules for common web server platforms like
+Apache and Microsoft IIS. Together, these components can turn existing
+authentication services (like Kerberos, LDAP, or NIS) into a solution for
+single sign-on authentication to websites throughout an institution.
+
+%package server
+Summary: The pubcookie login server components
+Group: System Environment/Daemons
+Requires: %{name} = %{version}-%{release}
+Requires: xinetd
+
+%description server
+This package contains the login server portion of pubcookie.
+
+%prep
+%setup -q -n pubcookie-%{version}
+%patch0 -p1
+# fix weird .c file permission to shut up rpmlint:
+%{__chmod} 0644 src/verify_fork.c
+
+%build
+%configure \
+ --enable-login \
+ --enable-default-des \
+ --enable-krb5 \
+ --enable-ldap \
+ --enable-shadow
+%{__make} %{?_smp_mflags} \
+ LIBS="-lcom_err" \
+ top_builddir=%{_libdir}/httpd \
+ top_srcdir=%{_libdir}/httpd
+
+%install
+%{__rm} -rf %{buildroot}
+%{__make} install DESTDIR=%{buildroot} \
+ top_builddir=%{_libdir}/httpd \
+ top_srcdir=%{_libdir}/httpd
+%{__install} -D -m 0644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/pubcookie/config
+%{__install} -D -m 0644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/httpd/conf.d/modpubcookie.conf
+%{__install} -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/httpd/conf.d/pubcookie_login.conf
+%{__install} -D -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/xinetd.d/keyserver
+%{__install} -D -m 0644 %{SOURCE5} %{buildroot}/%{_mandir}/man8/keyclient.8
+%{__install} -D -m 0644 %{SOURCE6} %{buildroot}/%{_mandir}/man8/keyserver.8
+
+%clean
+%{__rm} -rf %{buildroot}
+
+%files
+%defattr(-,root,root,-)
+%doc doc/*.txt doc/config.html doc/install-mod_pubcookie.html doc/mod_pubcookie-directives.html
+%config(noreplace) %{_sysconfdir}/pubcookie/config
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/modpubcookie.conf
+%{_sbindir}/keyclient
+%{_mandir}/man8/keyclient.*
+%{_libdir}/httpd/modules/mod_pubcookie.so
+%dir %{_localstatedir}/%{_lib}/pubcookie
+
+%files server
+%defattr(-,root,root,-)
+%doc doc/install-filter.html doc/install-login.html doc/krb5-getcred.html
+%config(noreplace) %{_sysconfdir}/xinetd.d/keyserver
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/pubcookie_login.conf
+%{_sbindir}/keyserver
+%{_mandir}/man8/keyserver.*
+%{_datadir}/pubcookie
+%{_localstatedir}/%{_lib}/pubcookie/starter.key
+
+%changelog
+* Sun Sep 05 2010 Gabriel Somlo <somlo at cmu.edu> 3.3.4a-2
+- fixed build on F13 and later
+- renamed to mod_pubcookie
+- added key[client,server] man pages
+
+* Sat Aug 21 2010 Gabriel Somlo <somlo at cmu.edu> 3.3.4a-1
+- upgrade to 3.3.4a
+
+* Thu Mar 13 2009 Gabriel Somlo <somlo at cmu.edu> 3.3.3-1
+- initial build
diff --git a/modpubcookie.conf b/modpubcookie.conf
new file mode 100644
index 0000000..dfb40a3
--- /dev/null
+++ b/modpubcookie.conf
@@ -0,0 +1,442 @@
+# You should first initialize your pubcookie keys by setting 'keymgt_uri' in
+# your /etc/pubcookie/config file for keyclient, and then running:
+#
+# 'keyclient; keyclient -G /var/lib/pubcookie/pubcookie_granting.crt'
+#
+# Then, select appropriate values for the relevant directives below
+# (e.g. PubcookieLogin, PubcookieDomain, PubcookieCryptKeyfile, etc.),
+# and uncomment the following line:
+
+#LoadModule pubcookie_module modules/mod_pubcookie.so
+
+<IfModule mod_pubcookie.c>
+
+# AuthType directive
+#
+# Syntax: AuthType type
+# Context: directory, .htaccess
+# Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.
+#
+# This directive selects the type of user authentication applied to a
+# resource. It must be accompanied by a require directive when used with
+# an authentication type handled by mod_pubcookie.
+#
+# The type is case-insensitive and can be any name defined by
+# PubcookieAuthTypeNames or supported as an existing core AuthType (e.g.
+# Basic).
+
+# PubcookieInactiveExpire directive
+#
+# Syntax: PubcookieInactiveExpire expire-time-in-seconds
+# Context: directory, .htaccess
+# Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.
+#
+# The duration of inactivity allowed between a user and an application
+# before the session expires. Expiration due to inactivity causes a loop
+# thru the login server to obtain a new granting cookie.
+#
+# The default value is 30 minutes which is defined as
+# PBC_DEFAULT_INACT_EXPIRE in pbc_config.h. Minimium inactivity timeout
+# is five minutes.
+#
+# A value of -1 turns off the check for inactivity.
+
+# PubcookieHardExpire directive
+#
+# Syntax: PubcookieHardExpire expire-time-in-seconds
+# Context: directory, .htaccess
+# Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.
+#
+# The maximum duration of an application session, regardless of user
+# activity. Expiration due to reaching the hard timeout causes a loop
+# thru the login server to obtain a new granting cookie.
+#
+# The default value is eight hours which is defined as
+# PBC_DEFAULT_HARD_EXPIRE in pbc_config.h. The minimium is one hour; the
+# maximium is twelve hours.
+
+# PubcookieAppID directive
+#
+# Syntax: PubcookieAppID application-name
+# Context: directory, .htaccess
+# Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.
+#
+# The name of the application. The default is the directory path.
+#
+# Use of this directive may require that you set AllowOverride All in
+# httpd.conf.
+
+# PubcookieDirDepthforAppID directive
+#
+# Syntax: PubcookieDirDepthforAppID depth
+# Context: server config, virtual host
+# Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.
+#
+# Allows you to limit the length of default AppIDs to a specific number
+# of directories.
+#
+# The depth is the number of directories that the AppID will be
+# truncated to. e.g.:
+#
+# / 0
+# /blah/ 1
+# /blah/asdf/ 2
+#
+# This directive has no effect if PubcookieAppID is specified.
+
+# PubcookieAppSrvID directive
+#
+# Syntax: PubcookieAppSrvID AppServerID
+# Context: server config, virtual host
+# Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.
+#
+# Allows you to specify an AppSrvID string, instead of using the default
+# based on your ServerName.
+
+# PubcookieLogin directive
+#
+# Syntax: PubcookieLogin url-of-login-server
+# Context: server config, virtual host
+# Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.
+#
+# The location of the login cgi on the pubcookie login server.
+PubcookieLogin https://pubcookie.example.edu/login_demo/
+
+# PubcookieLoginMethod directive
+#
+# Syntax: PubcookieLoginMethod GET | POST
+# Context: server config, virtual host
+# Compatibility: Versions of mod_pubcookie 3.2.0 and higher and Apache
+# 1.2 and later.
+#
+# This directive specifies how authentication requests and responses are
+# communicated between the module and the login server.
+#
+# The default method, GET, is Pubcookie's classic cookie-based messaging
+# method. It communicates the request and response using meta-refresh
+# redirects and cookies scoped to the enterprise domain (see
+# PubcookieDomain).
+#
+# The newer method, POST, is closer to the industry standard SAML
+# Browser/POST profile. It communicates the request and response using
+# HTTP POST message bodies and uses, but does not require, Javascript to
+# facilitate the process. It requires an additional PubcookiePostURL
+# endpoint to consume the initial response sent by the login server.
+#
+# All versions of the module prior to 3.2.0 can only use the GET method.
+# Versions 3.2.0 and higher support either method.
+
+# PubcookiePostURL directive
+#
+# Syntax: PubcookiePostURL post-reply-url
+# Context: server config, virtual host
+# Compatibility: Versions of mod_pubcookie 3.2.0 and higher and Apache
+# 1.2 and later.
+#
+# This directive specifies the URL endpoint used to consume
+# authentication responses sent from the login server when using the
+# POST PubcookieLoginMethod.
+#
+# The default location is /PubCookie.reply.
+
+# PubcookieDomain directive
+#
+# Syntax: PubcookieDomain domain
+# Context: server config, virtual host
+# Compatibility: Versions of mod_pubcookie 3.0.0 and higher and Apache
+# 1.2 and later.
+#
+# The DNS domain used to scope the cookies that carry the messages in
+# Pubcookie's classic cookie-based messaging method. It must be at least
+# a second level domain.
+#
+# Note: Sites can use the POST-based messaging method to avoid DNS
+# domain issues entirely. Sites in country code top-level domains (e.g.
+# example.ca) must do so, since browsers don't allow cookies to be set
+# to second level domains within country code top-level domains. See
+# PubcookieLoginMethod.
+PubcookieDomain .example.edu
+
+# PubcookieGrantingCertfile directive
+#
+# Syntax: PubcookieGrantingCertfile filename
+# Context: server config, virtual host
+# Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.
+#
+# The name of the file containing the login server's certificate used to
+# verify granting cookies.
+#
+# The default is /usr/local/pubcookie/pubcookie_granting.cert which is
+# defined as PBC_G_CERTFILE in pbc_config.h.
+PubcookieGrantingCertfile /var/lib/pubcookie/pubcookie_granting.crt
+
+# PubcookieSessionKeyfile directive
+#
+# Syntax: PubcookieSessionKeyfile filename
+# Context: server config, virtual host
+# Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.
+#
+# The name of the file containing the private key for session cookies.
+#
+# The default is /usr/local/pubcookie/pubcookie_session.key which is
+# defined as PBC_S_KEYFILE in pbc_config.h.
+# we use the same key (and cert) used for HTTPS (see ./ssl.conf):
+PubcookieSessionKeyfile /etc/pki/tls/private/localhost.key
+
+# PubcookieSessionCertfile directive
+#
+# Syntax: PubcookieSessionCertfile filename
+# Context: server config, virtual host
+# Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.
+#
+# The name of the file containing the certificate for session cookies.
+#
+# The default is /usr/local/pubcookie/pubcookie_session.cert which is
+# defined as PBC_S_CERTFILE in pbc_config.h.
+# we use the same cert (and key) used for HTTPS (see ./ssl.conf):
+PubcookieSessionCertfile /etc/pki/tls/certs/localhost.crt
+
+# PubcookieCryptKeyfile directive
+#
+# Syntax: PubcookieCryptKeyfile filename
+# Context: server config, virtual host
+# Compatibility: All versions of mod_pubcookie and Apache 1.2 and later
+#
+# The name of the file containing the symmetric encryption key obtained
+# from your keyserver for encrypting/decrypting private data.
+#
+# The default is /usr/local/pubcookie/c_key which is defined as
+# PBC_CRYPT_KEYFILE in pbc_config.h.
+# obtained via 'keyclient', named after our server name
+PubcookieCryptKeyfile /var/lib/pubcookie/ourserver.example.edu
+
+# PubcookieKeyDir directive
+#
+# Syntax: PubcookieCryptKeyfile filename
+# Context: server config, virtual host
+# Compatibility: All versions of mod_pubcookie and Apache 1.2 and later
+#
+# The location of shared keys for encrypting/decrypting cookies.
+
+# PubcookieEndSession directive
+#
+# Syntax: PubcookieEndSession redirect | clearLogin | on | off
+# Context: directory, .htaccess
+# Compatibility: Versions of mod_pubcookie 1.69 and later and Apache 1.3
+# and later.
+#
+# This directive is used to end an application session. It should be
+# placed in a child directory or explicitly have the same PubcookieAppID
+# as the application it is going to affect. (E.g., if /webapp/ defines
+# the AuthType directive, then /webapp/logout/ would typically be used
+# to define PubcookieEndSession.)
+#
+# With arguments on, redirect, and clearLogin the session cookie is
+# cleared. Re-requesting the resource will require a trip to the login
+# server to retrieve a new granting cookie. Note: session cookies of
+# other applications are not cleared by the PubcookieEndSession
+# directive, only the session cookie applicable to the scope of the
+# current application.
+#
+# After clearing the session cookie, the redirect and clearLogin
+# arguments redirect the browser back to the login server which
+# generates a response page. The clearLogin argument also causes the
+# login server to clear the user's login cookie.
+#
+# The off argument turns off all PubcookieEndSession functionality.
+
+# PubcookieEncryption directive
+#
+# Syntax: PubcookieEncryption AES | DES | AES+DOMAIN
+# Context: directory, .htaccess
+# Compatibility: Versions of mod_pubcookie 3.3.0 and higher and Apache
+# 1.2 and later.
+#
+# This directive defines the encryption algorithm used by the module to
+# encrypt and decrypt private cookie data, including pre-session and
+# session cookies as well as the type of encryption it asks for and
+# expects from the login server for granting cookies and messages.
+#
+# In version 3.3.0 and higher, AES encryption is the default (unless the
+# module has been built with the --enable-default-des option). The only
+# encryption method supported in earlier versions is DES. Therefore, you
+# must set this directive to use DES encryption to interoperate with
+# login servers earlier than version 3.3.0.
+#
+# The AES+DOMAIN setting enables the module's wildcard subdomain
+# capability.
+
+# PubcookieSessionCauseReAuth directive
+#
+# Syntax: PubcookieSessionCauseReAuth on | off | grace-time-in-seconds
+# Context: directory, .htaccess
+# Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.
+# mod_pubcookie version 3.1 and above required for grace time.
+#
+# When set to on, the PubcookieSessionCauseReAuth directive causes the
+# user to be reauthenticated, thus overriding single sign-on. Users must
+# re-enter valid credentials to establish an application session.
+#
+# Use a grace-time-in-seconds to indicate a grace time wherein no
+# reauthentication is necessary (e.g., 1800 for 30 minutes of grace
+# time). This feature allows an application to establish an acceptable
+# balance between convenience and risk.
+
+# PubcookieAuthTypeNames directive
+#
+# Syntax: PubcookieAuthTypeNames name1 [name2 ...]
+# Context: server config, virtual host, directory
+# Compatibility: Versions of mod_pubcookie 1.77 and higher and Apache
+# 1.3 and later.
+#
+# This directive names the new authentication types added by
+# mod_pubcookie to the AuthType directive. For example,
+# PubcookieAuthTypeNames WebISO allows you to use AuthType WebISO.
+#
+# The ordered list of the names maps each new authentication type
+# directly to an intrinsic Pubcookie credential type: name1 is
+# credential type "1", name2 is credential type "2", and so on. This is
+# how Pubcookie ties each AuthType to a different "login flavor" handled
+# by the login server. Of course, most sites have only one login flavor,
+# the basic flavor, and therefore only need to specify one name. Note:
+# if necessary, a value of null can be used to define an unused position
+# in the ordered list of PubcookieAuthTypeNames.
+#
+# PubcookieAuthTypeNames is required in mod_pubcookie 1.77 and higher.
+# All users upgrading to mod_pubcookie 1.77 or higher must add this
+# directive to their server configuration.
+PubcookieAuthTypeNames WebISO
+
+# PubcookieNoPrompt directive
+#
+# Syntax: PubcookieNoPrompt on | off
+# Context: directory, .htaccess
+# Override: AuthConfig
+# Compatibility: mod_pubcookie 3.1 and later; it also requires a 3.1 or
+# later login server
+#
+# This directive prevents the login server from displaying the login
+# page, while still allowing single sign-on to the resource if the user
+# has already logged in.
+#
+# If the user already has a valid login cookie they will be logged in
+# normally: i.e., returned to the application and given a standard
+# session cookie. If, on the other hand, they do not have a valid login
+# cookie they will be silently returned to the application (i.e., they
+# won't be prompted to log in) and given a session cookie with a blank
+# id.
+#
+# The AUTH_TYPE and REMOTE_USER environment variables will be set only
+# if the user has a valid login cookie, thus taking advantage of the
+# no-prompt option and single sign-on. These environment variables will
+# not be set (just like any other unauthenticated request) if the user
+# has no valid login cookie.
+#
+# Notes: Users may find sites behave inconsistently when the no-prompt
+# option is in use, not realzing that the behavior depends on whether
+# they've already logged in. Also, because a session cookie with the
+# blank id is established when the user hasn't already logged in, the
+# session will remain anonymous for the duration of the session, even if
+# the user subsequently logs in elsewhere.
+
+# PubcookieOnDemand directive
+#
+# Syntax: PubcookieOnDemand key directive1 directive2...
+# Context: directory, .htaccess
+# Override: AuthConfig
+# Compatibility: mod_pubcookie 3.1 and later; it also requires a 3.1 or
+# later login server
+#
+# This directive controls the module's on-demand functionality.
+#
+# Directives used on demand are normally quiescent and have no effect.
+# Only the presence of the activation cookie, OnDemandKey, with a value
+# matching the key, activates the associated on-demand directives
+# (directive1, directive2...) and sets the environment variable
+# ON_DEMAND_KEY to the active on-demand key. The activation cookie must
+# accompany each request for resource to be protected on demand.
+#
+# The following directives can be used on demand (i.e. can be tied to,
+# and activated by, an on-demand key):
+# * AuthType
+# * Require
+# * PubcookieInactiveExpire
+# * PubcookieHardExpire
+# * PubcookieAppID
+# * PubcookieEndSession
+# * PubcookieSessionCauseReAuth
+# * PubcookieAddlRequest
+# * PubcookieNoPrompt
+#
+# Activated PubcookieOnDemand directives will overrule any equivalent
+# directives specified elsewhere.
+#
+# Notes: The activation cookie, OnDemandKey, and its key value are plain
+# text. Applications must query the ON_DEMAND_KEY environment variable
+# to make sure the remote user is authenticated and authorized according
+# to the desired on-demand key. Therefore, applications must also allow
+# for, and adjust to, missing or null REMOTE_USER and ON_DEMAND_KEY
+# environment variables.
+
+# PubcookieAddlRequest directive
+#
+# Syntax: PubcookieAddlRequest opt1=val1 [opt2=val2...]
+# Context: directory, .htaccess
+# Compatibility: Versions of mod_pubcookie 3.0 and higher and Apache 1.3
+# and later.
+#
+# This directive allows the application to give arbitrary requests to
+# the login server. The directive causes the following options to be
+# sent to the login server along with authentication requests.
+#
+# Currently, it is site-defined what options cause what sort of
+# responses from the login server and how these responses are returned.
+# Eventually, there will be a standardized mechanism for returning
+# answers. Likely they will be returned in extensions to the granting
+# response and set as environment variables.
+
+# PubcookieNoObscureCookies directive
+#
+# Syntax: PubcookieNoObscureCookies on | off
+# Context: server config, virtual host
+# Compatibility: Versions of mod_pubcookie 3.2.1 and higher and Apache
+# 1.3 and later.
+#
+# By default, session cookies are obscured by the module before being
+# exposed to other handlers. To hand session cookies to other handlers
+# (such as CGI programs) set this directive.
+
+# PubcookieNoBlank directive
+#
+# Syntax: PubCookieNoBlank on | off
+# Context: server config, virtual host
+# Compatibility: Versions of mod_pubcookie 3.0 and higher and Apache 1.3
+# and later.
+#
+# This directive is deprecated in versions 3.2.1 and higher. Use the
+# PubcookieNoObscureCookies directive instead.
+
+# PubcookieEgdDevice directive
+#
+# Syntax: PubcookieEgdDevice location
+# Context: server config, virtual host
+# Compatibility: Versions of mod_pubcookie 3.0 and higher and Apache 1.3
+# and later.
+#
+# Location of EGD socket (e.g. /dev/egd-pool) if your system lacks
+# entropy.
+
+# and here is an example on how to configure directories to use PubCookie:
+#<Directory "/var/www/html">
+# <Limit GET POST>
+# Require valid-user
+# </Limit>
+#
+# AuthType WebISO
+# PubCookieAppID "DemoPubCookieAuth"
+# PubCookieInactiveExpire 400
+# PubCookieHardExpire 3700
+#</Directory>
+
+</IfModule>
+
diff --git a/pubcookie-3.3.3-installdir.patch b/pubcookie-3.3.3-installdir.patch
new file mode 100644
index 0000000..a211ad2
--- /dev/null
+++ b/pubcookie-3.3.3-installdir.patch
@@ -0,0 +1,176 @@
+diff -NarU5 pubcookie-3.3.3.orig/Makefile.in pubcookie-3.3.3/Makefile.in
+--- pubcookie-3.3.3.orig/Makefile.in 2007-09-06 19:01:24.000000000 -0400
++++ pubcookie-3.3.3/Makefile.in 2009-03-18 11:10:02.000000000 -0400
+@@ -13,19 +13,21 @@
+ MAKE_APACHE=@MAKE_APACHE@$(MAKE)
+
+ CC=@CC@
+
+ prefix=@prefix@
++localstatedir=@localstatedir@
++sbindir=@sbindir@
++datadir=@datadir@
+ srcdir=@srcdir@
+ builddir=@builddir@
+
+-PUBCOOKIE_DIR=$(prefix)
+-KEY_DIR=$(PUBCOOKIE_DIR)/keys
+-TEMPLATE_DIR=$(PUBCOOKIE_DIR)/login_templates
+-LOGIN_DIR=$(PUBCOOKIE_DIR)/login
+-CERT_DB_DIR=$(PUBCOOKIE_DIR)/keys
+-LOGIN_MEDIA_DIR=$(PUBCOOKIE_DIR)/login/media
++PUBCOOKIE_DIR=$(DESTDIR)/$(prefix)
++SBIN_DIR=$(DESTDIR)/$(sbindir)
++KEY_DIR=$(DESTDIR)/$(localstatedir)/lib/pubcookie
++TEMPLATE_DIR=$(DESTDIR)/$(datadir)/pubcookie/login_templates
++CGI_DIR=$(DESTDIR)/$(datadir)/pubcookie/cgi-bin
+
+ CERT_DB_SOURCE=@CERT_DB_PATH@
+
+ INSTALL=@INSTALL@
+ INSTALL_BIN=$(INSTALL) -m 755
+@@ -372,83 +374,55 @@
+
+
+ # Installation Targets
+
+ install: $(KEY_DIR) @install_login@ @install_apache@
+- at IF_MOD@ $(INSTALL_BIN) keyclient $(PUBCOOKIE_DIR)
++ at IF_MOD@ $(INSTALL_BIN) keyclient $(SBIN_DIR)
+
+-install-login: @no_login@ $(LOGIN_DIR) $(TEMPLATE_DIR) $(TEMPLATE_DIR).default $(LOGIN_TEMPLATES) $(LOGIN_MEDIA_DIR) $(TEMPLATE_DIR).default/media $(LOGIN_MEDIA) login_server
++install-login: @no_login@ $(SBIN_DIR) $(TEMPLATE_DIR) $(CGI_DIR) $(LOGIN_TEMPLATES) $(TEMPLATE_DIR)/media login_server
+ @for file in $(INDEX_FILES); do \
+- echo $(INSTALL_BIN) $$file $(LOGIN_DIR); \
+- $(INSTALL_BIN) $$file $(LOGIN_DIR); \
++ echo $(INSTALL_BIN) $$file $(CGI_DIR); \
++ $(INSTALL_BIN) $$file $(CGI_DIR); \
+ done
+ @for file in $(LOGIN_TEMPLATES); do \
+- echo $(INSTALL_OTHER) $$file $(TEMPLATE_DIR).default; \
+- $(INSTALL_OTHER) $$file $(TEMPLATE_DIR).default; \
+- done
+- @for file in $(LOGIN_TEMPLATES); do \
+- bfile=`basename $$file`; \
+- $(TEST) ! -f $(TEMPLATE_DIR)/$$bfile && \
+- echo $(INSTALL_OTHER) $$file $(TEMPLATE_DIR) && \
+- $(INSTALL_OTHER) $$file $(TEMPLATE_DIR); \
+- true; \
++ echo $(INSTALL_OTHER) $$file $(TEMPLATE_DIR); \
++ $(INSTALL_OTHER) $$file $(TEMPLATE_DIR); \
+ done
+ @for file in $(LOGIN_MEDIA); do \
+- echo $(INSTALL_OTHER) $$file $(TEMPLATE_DIR).default/media; \
+- $(INSTALL_OTHER) $$file $(TEMPLATE_DIR).default/media; \
+- done
+- @for file in $(LOGIN_MEDIA); do \
+- bfile=`basename $$file`; \
+- $(TEST) ! -f $(LOGIN_MEDIA_DIR)/$$bfile && \
+- echo $(INSTALL_OTHER) $$file $(LOGIN_MEDIA_DIR) && \
+- $(INSTALL_OTHER) $$file $(LOGIN_MEDIA_DIR); \
+- true; \
++ echo $(INSTALL_OTHER) $$file $(TEMPLATE_DIR)/media; \
++ $(INSTALL_OTHER) $$file $(TEMPLATE_DIR)/media; \
+ done
+ @for file in $(KEYMGT_FILES); do \
+- echo $(INSTALL_BIN) $$file $(PUBCOOKIE_DIR); \
+- $(INSTALL_BIN) $$file $(PUBCOOKIE_DIR); \
+- done
+- @for file in $(CERT_DB_SOURCE)/cert7.db $(CERT_DB_SOURCE)/key3.db; do \
+- $(TEST) "x$(CERT_DB_SOURCE)" != "x" && \
+- echo $(INSTALL_OTHER) $$file $(CERT_DB_DIR) && \
+- $(INSTALL_OTHER) $$file $(CERT_DB_DIR); \
+- true; \
++ echo $(INSTALL_BIN) $$file $(SBIN_DIR); \
++ $(INSTALL_BIN) $$file $(SBIN_DIR); \
+ done
+- $(INSTALL_OTHER) doc/starter.key $(PUBCOOKIE_DIR)
+- $(INSTALL_OTHER) doc/config.login.sample $(PUBCOOKIE_DIR)
+- @$(TEST) ! -f $(PUBCOOKIE_DIR)/config && \
+- echo $(INSTALL_OTHER) doc/config.login.sample \
+- $(PUBCOOKIE_DIR)/config && \
+- $(INSTALL_OTHER) doc/config.login.sample $(PUBCOOKIE_DIR)/config; \
+- true
++ $(INSTALL_OTHER) doc/starter.key $(KEY_DIR)
+
+ install-apache: @no_module@
+ @echo "Making all in module"
+ (cd module; $(MAKE) install)
+
+ $(PUBCOOKIE_DIR):
+ $(INSTALL_DIR) $(PUBCOOKIE_DIR)
+
++$(SBIN_DIR): $(PUBCOOKIE_DIR)
++ $(INSTALL_DIR) $(SBIN_DIR)
++
+ $(KEY_DIR): $(PUBCOOKIE_DIR)
+ $(INSTALL_DIR) $(KEY_DIR)
+
+-$(LOGIN_DIR): $(PUBCOOKIE_DIR)
+- $(INSTALL_DIR) $(LOGIN_DIR)
+-
+ #$(LOGIN_IMG_DIR): $(PUBCOOKIE_DIR)
+ # $(INSTALL_DIR) $(LOGIN_IMG_DIR)
+-$(LOGIN_MEDIA_DIR): $(PUBCOOKIE_DIR)
+- $(INSTALL_DIR) $(LOGIN_MEDIA_DIR)
++
++$(CGI_DIR): $(PUBCOOKIE_DIR)
++ $(INSTALL_DIR) $(CGI_DIR)
+
+ $(TEMPLATE_DIR): $(PUBCOOKIE_DIR)
+ $(INSTALL_DIR) $(TEMPLATE_DIR)
+
+-$(TEMPLATE_DIR).default: $(PUBCOOKIE_DIR)
+- $(INSTALL_DIR) $(TEMPLATE_DIR).default
+-
+-$(TEMPLATE_DIR).default/media: $(TEMPLATE_DIR).default
+- $(INSTALL_DIR) $(TEMPLATE_DIR).default/media
++$(TEMPLATE_DIR)/media: $(TEMPLATE_DIR)
++ $(INSTALL_DIR) $(TEMPLATE_DIR)/media
+
+ $(LIB_OBJ): $(LIB_HEAD) $(builddir)/src/pbc_path.h $(srcdir)/src/pbc_version.h.in $(builddir)/src/config.h
+
+ # Test Targets
+
+diff -NarU5 pubcookie-3.3.3.orig/src/pbc_path.h.in pubcookie-3.3.3/src/pbc_path.h.in
+--- pubcookie-3.3.3.orig/src/pbc_path.h.in 2007-09-06 19:01:24.000000000 -0400
++++ pubcookie-3.3.3/src/pbc_path.h.in 2009-03-18 11:10:48.000000000 -0400
+@@ -31,18 +31,18 @@
+ #define PBC_PATH (libpbc_config_getstring(p, "pbc_path", "@prefix@/"))
+ /* the login server builds it's key Filenames from the hostname */
+ #if defined (WIN32)
+ # define PBC_KEY_DIR (AddSystemRoot("\\inetsrv\\pubcookie\\keys"))
+ #else
+-# define PBC_KEY_DIR (libpbc_config_getstring(p, "keydir", "@prefix@/keys"))
++# define PBC_KEY_DIR (libpbc_config_getstring(p, "keydir", "@localstatedir@/lib/pubcookie"))
+ #endif
+
+ /* where the runtime configuration file lives */
+-#define PBC_CONFIG "@prefix@/config"
++#define PBC_CONFIG "@sysconfdir@/pubcookie/config"
+
+ /* Where to find templates */
+-#define TMPL_FNAME (libpbc_config_getstring(p, "template_root", "@prefix@/login_templates"))
++#define TMPL_FNAME (libpbc_config_getstring(p, "template_root", "@datadir@/pubcookie/login_templates"))
+
+ /* suffix for seperate config files for components */
+ #define PBC_SUBCONFIG (libpbc_config_getstring(p, "subconfig_suffix", ".conf"))
+
+ /* file to get the list of ok browsers from */
+@@ -54,14 +54,14 @@
+ /* getcred authz file */
+ #define GETCRED_AUTHZ (libpbc_config_getstring(p, "getcred_authz_file", "@prefix@/getcred_authz"))
+
+ /* The keyclient. This is probably better defined elsewhere, but I dunno. */
+
+-#define KEYCLIENT (libpbc_config_getstring(p, "keyclient", "@prefix@/keyclient"))
++#define KEYCLIENT (libpbc_config_getstring(p, "keyclient", "@sbindir@/keyclient"))
+
+ /* The path to the cert db, if this is using the Netscape SDK */
+
+-#define CERT_DB_PATH (libpbc_config_getstring(p, "cert_db_path", "@prefix@/keys"))
++#define CERT_DB_PATH (libpbc_config_getstring(p, "cert_db_path", "@localstatedir@/lib/pubcookie"))
+
+ #define SHADOW_PATH (libpbc_config_getstring(p, "shadow_path", "/etc/shadow"))
+
+ #endif
diff --git a/pubcookie_login.conf b/pubcookie_login.conf
new file mode 100644
index 0000000..499d6d6
--- /dev/null
+++ b/pubcookie_login.conf
@@ -0,0 +1,28 @@
+# Below is an example on how to configure an instance of the pubcookie login
+# cgi script. After configuring /etc/pubcookie/config and making sure the
+# keyserver is running (from xinetd), initialize the keyclient:
+#
+# cp /var/lib/pubcookie/starter.key /var/lib/pubcookie/<this-server>.key
+# keyclient
+#
+# Then, uncomment the 'Alias' and 'Directory' lines and restart httpd.
+# Make sure the private http server key (also referenced from
+# /etc/pubcookie/config) is owned by user 'apache', as the pubcookie.cgi
+# script will NOT be allowed to run as root !
+#
+# To test the pubcookie login server, visit
+#
+# https://<this-server>/login_demo/
+#
+# You can create multiple instances of login servers by cloning
+# the /usr/share/pubcookie/login_templates directory and adding the
+# corresponding snippets to this config file.
+
+ScriptAlias /pubcookie-cgi/index.cgi /usr/share/pubcookie/cgi-bin/index.cgi
+
+#Alias /login_demo/ /usr/share/pubcookie/login_templates/
+#<Directory /usr/share/pubcookie/login_templates/>
+# DirectoryIndex /pubcookie-cgi/index.cgi
+# AddHandler cgi-script .cgi
+# Options ExecCGI
+#</Directory>
diff --git a/sources b/sources
index e69de29..31cc5e1 100644
--- a/sources
+++ b/sources
@@ -0,0 +1 @@
+1a1cdcb5495580313d83567d00929e0e pubcookie-3.3.4a.tar.gz
More information about the scm-commits
mailing list