Sandbox Distribution Overview
What is it?
AuthFTP is a FastCGI server program the uses a standard FTP server as an
authenticator service. To make this a more practical solution, the user ID
and password need to be cached, because going back to the FTP server for
each request would be impractical for high volume work.
AuthFTP is designed to be used in conjunction with any web server that
supports FastCGI, but only has been tested with an authentication-enhanced
version of Open Market's mod_fastcgi for Apache.
This code was developed in support of the June 1997 Dr. Dobb's Journal
article called 'Web Extensions and FastCGI'.
Where do I get it?
Here is the source code
for Dr. Dobbs Article called 'Web Extensions and FastCGI'. Warning: its about a 2MB file.
Why FastCGI?
One very powerful use for the persistent nature of FastCGI is to implement
a session abstraction for HTTP servers. Because HTTP requests are stateless,
continuity between requests has to be handled outside of a standard web
server. FastCGI provides an excellent vehicle for this task. The use of
existing authentication modules for Apache for such a task would require
reauthenticating the user for each HTTP request--an unscalable implementation.
The problem affords the creation of a user session that maintains a
"logged-on" state of the user between each HTTP request.
FTP provides a simple and universally available authentication service. UNIX,
mainframes, PCs, and minicomputers all implement FTP and give it access
to the system's user database tables. If a user already has a logon to
an existing system, AuthFTP enables it to be reused.
The ability for a web server to authenticate users using a shared security
server has appeal for many businesses. Single signon to many web server
resources has long been a dream (and likely will continue to be).
The FastCGI specification allows for an authenticator/authorizer, but
the FastCGI module for Apache does not implement it. For this reason, I
enhanced this module to include this function. Two versions of the module
are included: one that uses mod_fastcgi V1.3.3 as its base for use with
Apache 1.1.3 and a second that uses mod_fastcgi V1.4.3 for use with Apache
1.2b8 or later. The second version offers the ability to have the
FastCGI server located on a remote server.
How is it packaged?
The file 'dobbsfcgi.tar.gz' contains the source tree for building AuthFTP and
supporting code.
I am currently running Slackware 3, with the Linux 2.0.0 kernel. The intention
of this distribution is to give you all the pieces needed to play with
FastCGI and AuthFTP. A head start in creating the server configuration files
and the minor modifications to libftp to get it compile on Linux are also
provided. The FastCGI module for Apache had to be modified to include the
Authorizer role.
There are two versions of the AuthFTP supporting code:
- Apache 1.2b8, mod_fastcgi-1.4.3.1.c in combination, and
- Apache 1.1.3, mod_fastcgi-1.3.3.2.c
The AuthFTP source code by itself can be found here
The first version is capable of using FastCGI servers on remote systems,
where as the second can only use servers on the system local to the
Apache server.
This code was developed initially on both IBM's AIX and later on Linux, so portability
back to AIX now should require little effort:-)
The original versions of all this support code are available at:
How do I build it?
The 'authftp' directory contains all the pieces needed to build the AuthFTP
fastcgi server: the FastCGI development kit V1.5, Oleg Orel's libftp V5.8,
the tclHash source, and the AuthFTP source. Minor modifications were made and
documented in the code to libftp. The OK macro and varargs.h caused
problems, so they were moved out of FtpLibrary.h. FtpLibrary.h is the
only include file required to use libftp.
The Apache directories contain sample configuration files that work with
the directory structure on my system. I tried to keep the paths relative
wherever it was easy to do that, but you will have to make modifications
to suit your environment. The original top directory structure was
/share/ddj/dist. This distribution is a relative tar from that directory.
The apache-fastcgi directory contains the source for the original and
modified versions of mod_fastcgi.c. Additionally, the instructions for
using the new configuration options is included in mod_fastcgi.html
The mod_fastcgi-1.3.3.2.c contains some additional code I have added to
test whether a logger role would be useful. Currently FastCGI only defines
threee roles: Filter, Responder and Authorizer. It required some minor
changes to the FastCGI development kit to work though.
Once you get your environment set, the AuthFTP application will function
both as Authorizer and Responder. The Responder part will be accessible
with 'http://yourserver:yourport/fcgi-bin/authftp'.
The purpose of this application is to demonstrate the functions described
in the June 1997 issue of Dr. Dobb's Journal. The idea for the server
came from my customers who need such a system.
To build AuthFTP on Linux (all paths are relative to the
root of the distribution):
- Build your server of choice or both
- move to the 'apache_1.xxxx/src' directory in that servers directory
- execute 'make'
- customize the configuration files in 'apache_1.xxxx/conf'
- customize the startup scripts 'debug-server' and 'start-server' in
'apache_1.xxxx/conf'
- Build AuthFTP
- move to 'authftp/fcgi-devel-kit-1.5'
- execute 'make'. My compiler gcc 2.7.2 complains about non-ANSI code.
this will build 'libfcgi.a' and some example code
- copy 'authftp/fcgi-devel-kit-1.5/examples/tiny-authorizer' and
'authftp/fcgi-devel-kit-1.5/examples/echo' to the
'apache_1.xxxx/fcgi-bin' directory.
- move to 'authftp/libftp'
- execute 'make'
this will build 'libftp.a'
- move to 'authftp'
- execute 'make'
- copy 'authftp/authftp' to 'apache_1.xxxx/fcgi-bin' directory
- Execute the server
- use the 'debug-server' or 'start-server' scripts
- trying to access 'http://yourserver:yourport/manual' will invoke
the AuthFTP server.
- you might want to 'tail -f' the 'error_log' file associated
with the server to watch AuthFTP do its stuff.
- although there are some performance quirks, running the server in
debug mode enables the use of Control-C to kill the server and
all its child processes, include fastcgi servers>
How do I use this thing?
Some brief instructions for configuring the mod_fastcgi Apache module are
available, if you want to customize further the way the Authorizer function
is invoked in your implementation. This is the 1.3.3 documentation modified
with my authentication additions.
The AuthFTP server can be customized by using the '-initial-env' option of the
AppClass directive. The example configuration files use the FTP_HOST
variable to set the location of the FTP server used to authenticate
users. FTP_HOST defaults to 'localhost'. Three other variables are also
available for customization:
- INACTIVITY_TIMEOUT is the allowable time of inactivity before an
additional logon is required. If a person closes down their browser,
the session will stay alive for INACTIVITY_TIMEOUT seconds.
- SESSION_LIFETIME is the longest time a session will be allowed to exist
before needing to be refreshed with a new logon. If a password on
the FTP server changed, the old one will be good for only
SESSION_LIFETIME seconds.
- REAPER_FREQ is the number of requests that occur before the session
reaper is called to clean up expired sessions. REAPER_FREQ of 10
(the default) means call the reaper every 10 reqests.
To view the state of the AuthFTP server, request
'http://yourserver:yourport/fcgi-bin/authftp'. A simple interface is
provided to control the server's debug parameter, to show the state
of the internal database of sessions, and the state of the
customizable variables. The debug parameter toggles the sending of
verbose debugging/trace output to the Apache server 'error_log' file.
Clearly this interface in its current configuration is a security hole.
It is included as an example of how to 1) use a FastCGI script in both
Responder and Authenticator role, 2) show an example of how debugging
can be done with FastCGI scripts, and 3) a way to dynamically change
the configuration of a FastCGI server without restarting Apache.
Can I use AuthFTP with other CGI or FastCGI scripts?
The FastCGI specification supports communication between AuthFTP and
other CGI or FastCGI scripts that might also be called to process
this same request. This is done using specially named environment
variables -- names that begin with 'Variable-'. These name/value pairs
become part of the Apache subprocess request environment, and each CGI
spawned or FastCGI program running will receive the newly appended
environment. This may be useful for AuthFTP to communicate, for example,
the state of a users account or authorization privileges to other
parts of the request process. AuthFTP sets two environment variables
that get sent back to the Apache server.
Futures:
- database server logon, another use for the session abstraction
- exposing other parts of Apache to the FastCGI mechanism (e.g logger)
- authorization mechanism
- session affinity
$cott Dybiec
May 1997
sdybiec@vnet.ibm.com