Sandbox Distribution Overview

What is it?

AuthFTP is a FastCGI server program the uses a standard FTP server as an authenticator service. To make this a more practical solution, the user ID and password need to be cached, because going back to the FTP server for each request would be impractical for high volume work.

AuthFTP is designed to be used in conjunction with any web server that supports FastCGI, but only has been tested with an authentication-enhanced version of Open Market's mod_fastcgi for Apache.

This code was developed in support of the June 1997 Dr. Dobb's Journal article called 'Web Extensions and FastCGI'.

Where do I get it?

Here is the source code for Dr. Dobbs Article called 'Web Extensions and FastCGI'. Warning: its about a 2MB file.

Why FastCGI?

One very powerful use for the persistent nature of FastCGI is to implement a session abstraction for HTTP servers. Because HTTP requests are stateless, continuity between requests has to be handled outside of a standard web server. FastCGI provides an excellent vehicle for this task. The use of existing authentication modules for Apache for such a task would require reauthenticating the user for each HTTP request--an unscalable implementation. The problem affords the creation of a user session that maintains a "logged-on" state of the user between each HTTP request.

FTP provides a simple and universally available authentication service. UNIX, mainframes, PCs, and minicomputers all implement FTP and give it access to the system's user database tables. If a user already has a logon to an existing system, AuthFTP enables it to be reused.

The ability for a web server to authenticate users using a shared security server has appeal for many businesses. Single signon to many web server resources has long been a dream (and likely will continue to be).

The FastCGI specification allows for an authenticator/authorizer, but the FastCGI module for Apache does not implement it. For this reason, I enhanced this module to include this function. Two versions of the module are included: one that uses mod_fastcgi V1.3.3 as its base for use with Apache 1.1.3 and a second that uses mod_fastcgi V1.4.3 for use with Apache 1.2b8 or later. The second version offers the ability to have the FastCGI server located on a remote server.

How is it packaged?

The file 'dobbsfcgi.tar.gz' contains the source tree for building AuthFTP and supporting code. I am currently running Slackware 3, with the Linux 2.0.0 kernel. The intention of this distribution is to give you all the pieces needed to play with FastCGI and AuthFTP. A head start in creating the server configuration files and the minor modifications to libftp to get it compile on Linux are also provided. The FastCGI module for Apache had to be modified to include the Authorizer role.

There are two versions of the AuthFTP supporting code:

  1. Apache 1.2b8, mod_fastcgi-1.4.3.1.c in combination, and
  2. Apache 1.1.3, mod_fastcgi-1.3.3.2.c

The AuthFTP source code by itself can be found here

The first version is capable of using FastCGI servers on remote systems, where as the second can only use servers on the system local to the Apache server.

This code was developed initially on both IBM's AIX and later on Linux, so portability back to AIX now should require little effort:-)

The original versions of all this support code are available at:

How do I build it?

The 'authftp' directory contains all the pieces needed to build the AuthFTP fastcgi server: the FastCGI development kit V1.5, Oleg Orel's libftp V5.8, the tclHash source, and the AuthFTP source. Minor modifications were made and documented in the code to libftp. The OK macro and varargs.h caused problems, so they were moved out of FtpLibrary.h. FtpLibrary.h is the only include file required to use libftp.

The Apache directories contain sample configuration files that work with the directory structure on my system. I tried to keep the paths relative wherever it was easy to do that, but you will have to make modifications to suit your environment. The original top directory structure was /share/ddj/dist. This distribution is a relative tar from that directory.

The apache-fastcgi directory contains the source for the original and modified versions of mod_fastcgi.c. Additionally, the instructions for using the new configuration options is included in mod_fastcgi.html

The mod_fastcgi-1.3.3.2.c contains some additional code I have added to test whether a logger role would be useful. Currently FastCGI only defines threee roles: Filter, Responder and Authorizer. It required some minor changes to the FastCGI development kit to work though.

Once you get your environment set, the AuthFTP application will function both as Authorizer and Responder. The Responder part will be accessible with 'http://yourserver:yourport/fcgi-bin/authftp'.

The purpose of this application is to demonstrate the functions described in the June 1997 issue of Dr. Dobb's Journal. The idea for the server came from my customers who need such a system.

To build AuthFTP on Linux (all paths are relative to the root of the distribution):

  1. Build your server of choice or both
  2. Build AuthFTP
  3. Execute the server

How do I use this thing?

Some brief instructions for configuring the mod_fastcgi Apache module are available, if you want to customize further the way the Authorizer function is invoked in your implementation. This is the 1.3.3 documentation modified with my authentication additions.

The AuthFTP server can be customized by using the '-initial-env' option of the AppClass directive. The example configuration files use the FTP_HOST variable to set the location of the FTP server used to authenticate users. FTP_HOST defaults to 'localhost'. Three other variables are also available for customization:

  1. INACTIVITY_TIMEOUT is the allowable time of inactivity before an additional logon is required. If a person closes down their browser, the session will stay alive for INACTIVITY_TIMEOUT seconds.
  2. SESSION_LIFETIME is the longest time a session will be allowed to exist before needing to be refreshed with a new logon. If a password on the FTP server changed, the old one will be good for only SESSION_LIFETIME seconds.
  3. REAPER_FREQ is the number of requests that occur before the session reaper is called to clean up expired sessions. REAPER_FREQ of 10 (the default) means call the reaper every 10 reqests.

To view the state of the AuthFTP server, request 'http://yourserver:yourport/fcgi-bin/authftp'. A simple interface is provided to control the server's debug parameter, to show the state of the internal database of sessions, and the state of the customizable variables. The debug parameter toggles the sending of verbose debugging/trace output to the Apache server 'error_log' file. Clearly this interface in its current configuration is a security hole. It is included as an example of how to 1) use a FastCGI script in both Responder and Authenticator role, 2) show an example of how debugging can be done with FastCGI scripts, and 3) a way to dynamically change the configuration of a FastCGI server without restarting Apache.

Can I use AuthFTP with other CGI or FastCGI scripts?

The FastCGI specification supports communication between AuthFTP and other CGI or FastCGI scripts that might also be called to process this same request. This is done using specially named environment variables -- names that begin with 'Variable-'. These name/value pairs become part of the Apache subprocess request environment, and each CGI spawned or FastCGI program running will receive the newly appended environment. This may be useful for AuthFTP to communicate, for example, the state of a users account or authorization privileges to other parts of the request process. AuthFTP sets two environment variables that get sent back to the Apache server.

Futures:

$cott Dybiec
May 1997
sdybiec@vnet.ibm.com