[pubcookie-dev] Trust basic auth
Stephen C. Losen
scl at sasha.acc.Virginia.EDU
Tue Apr 25 12:23:43 PDT 2006
> Hello, all:
>
> Here's a quick question. We are trying to achieve SPNEGO support with
> pubcookie, and while I suspect that this has not been implemented
> anywhere, I am wondering if I could accomplish something like this:
>
> 1. user accesses the server with SPNEGO support on
> 2. mod_kerberos verifies the credentials and sets basic auth bits
> 3. pubcookie index.cgi sees the credentials set by apache and issues a
> cookie without invoking authentication modules. More or less a "blindly
> accept basic auth if it exists and move on" more of operation.
>
> Anyone have any ideas? It seems like this would be rather easy to
> implement, or am I missing something fundamental?
>
You would probably want to write a new authentication "flavor"
or modify "flavor_basic". The pubcookie flavor_basic assumes that
it must put up a login page to get the user name and password, and
verify these with a plug in verifier. You cannot do what you want
at the verifier level because the verifier does not control the
display of the login page.
You can hack flavor_basic.c and have it check for the kerberos credentials
first and if they exist, then return "success". Otherwise behave just
like flavor_basic.
Steve Losen scl at virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
More information about the pubcookie-dev
mailing list