Free auth software for linux

Auth-X provides the Web-based authentication component for the R-BOSS system.

Auth-X is the web based authentication component for all R-BOSS applications (Actual-X, News-X, Track-x, etc). Access to all R-Boss applications initiates after and an Auth-X session. Though Auth-X is not directly access by users, it plays a fundamental role in tying the various R-BOSS applications together.

The User module/library is used by R-BOSS applications to authenticate users against a central user database. The User module also authorizes the level of permissions a user has and what task the user is allowed to perform. In addition to the User module/library, Auth-X is comprised of web based CGI pages. These CGI pages all allow new users to add themselves, pending administrator approval. Administrators then approve new users and authorize allowed program access.

Each of the R-Boss programs has different types of permissions, and the proper use of the Auth-X system can ensure that each user has sufficient rights to do what he or she needs to do-but nothing more. Auth-X enables users to change their own passwords and apply for permissions on the various R-BOSS programs. Auth-X administrators (generally within the language service) are notified via e-mail and are then able to authorize - or deny - the privileges without the intervention of technical support staff.

Auth-X Administrators are entrusted as the gatekeeper to important services and data. Administrators set the level of privileges the users has to perform task within the R-BOSS programs.

smtpauth is a authenticating proxy for servers without SMTP AUTH.

Use smtpauth and stunnel programs to add SMTP AUTH (PLAIN, LOGIN) support to any SMTP server. Clients can authenticate over SSL port 465 or cleartext port 587, and authentication is fully logged via syslog.

Works with JBMail, Pegasus Mail, Mozilla Thunderbird, MS Outlook...

This software is really an interim solution until our favourite MTA(s) support SSL/TLS and SMTP AUTH directly. For now I prefer using external programs to provide this functionality rather than patching MTA source. I designed this software to work with my Postfix server, but smtpauth also works with sendmail and just about any other SMTP server.

Installation:

1. Compile and install binary.

make
Copy smtpauth to /usr/sbin, owned by root, mode 755

2. Create special user smtpauth with its own group, no login allowed.

Note that smtpauth will immediately exit with an error if invoked as root.
It must be run from a low privilege account, for security.

3. [For SSL, port 465] Configure stunnel.conf. Change domain for your site.

setuid = smtpauth
setgid = smtpauth
debug = auth.notice
client = no

[smtps]
accept = 465
exec = /usr/sbin/smtpauth
execargs = smtpauth domain 127.0.0.1

4. Configure /etc/smtpauth.conf

This file should only be readable by the smtpauth user, since it stores plain
passwords. It consists of single lines containing usernames and passwords with
whitespace separating. Blank lines and comment lines starting # are ignored.

user1 pass1
user2 pass2

5. [For SSL, port 465] Start up stunnel

This will create a server running as smtpauth on port smtps/465. When SMTP clients
connect (SSL/TLS) the smtpauth program is launched and provides authentication
service through to 127.0.0.1:25, as a proxy. Your actual SMTP server will accept
mail because that connection is local. The mail headers will include X-SMTP-AUTH
indicating the username. Success and failures will be logged via syslog.

6. [For cleartext, port 587] Configure cleartext submission service in inetd

Since inetd (when started with -W) also supports wrapping, the smtpauth proxy
can be run straight out of here too. Note that this is somewhat risky, because
there will be no SSL/TLS encryption on the submission port (587).

Again, change domain for your site (e.g. mail.yoursite.tld)

submission stream tcp nowait smtpauth /usr/sbin/smtpauth smtpauth domain 127.0.0.1

pam_usbauth is a module for PAM allowing end-users to locally authenticate via USB storage devices. USBAuth currently supports user-dependent authentication via password-hashing as well as one-time-password mechanisms, which make the verification process via USB-dongles much more secure. In addition, USBAuth comes with USB device serial checking support, so attackers wont be able to grab and copy your device easily (if this is the case, the device will be rejected).

Install instructions for Debian

1.Download the Debian package.
2.Install as root, by typing dpkg -i usbauth_0.2-1_i386.deb.
3.Use the program uapasswd for activating USBAuth. You may have a look at the manpage of uapasswd(1) for detailed instructions, but the following command will configure USBAuth for user root. The USB device is located at /dev/sda1:

uapasswd -u root -p mypassword -d /dev/sda1 -d /dev/sdb1 -w -o if you wish to use USB device ID binding, get the serial number of your USB storage device out of /proc/bus/usb/devices, and call:

uapasswd -u root -p mypassword -d /dev/sda1 -d /dev/sdb1 -w -o -s serial -c

4.Follow step 5, below .. (configuration of PAM to use pam_usbauth.so in /etc/pam.d/)

How shall I use it?

1. Download the source

2. Compile and install (both done via "make") as root (you need to have PAM development files and libraries, as well as OpenSSL installed)

3. Get a USB storage device. You can use every writeable USB-stick device, but Id recommend to make an extra partition, 1024k is more than enough. Be sure you know which device/partition this is (e.g. /dev/sda1). The selected partition doesnt need to be formated, the data will be in written RAW format onto the device - this means, you also dont have to mount it. Not now, and not when actually using pam_usbauth for authentication. Be aware, that you can still use all other partitions on the device for storage!

4. To generate the config file, call at least "./uapasswd -u username -p cleartextpassword -d /dev/sda1 -w". uapasswd must be called as root, because it needs to have write permissions either on the USB device, and on the config file in /etc. Check the manual page for more options, there are severl nice features available.

WARNING: The device which is given first, will be used for writing! Dont choose a device where real data is stored, like harddisks!

(4b. Alternatively, you can manually edit /etc/usbauth.conf; for syntax see this file)

5. Set up the applications you want to use with the module, changing the files for the programs youd like to use with usbauth in /etc/pam.d/. Normally, such files define something like:

auth sufficient pam_unix.so, or
auth -auth

Just comment this line, and write:

auth sufficient pam_usbauth.so

Id strongly recomment to accept a Unix-fallback, so you can still get access with your normal password:

auth sufficient pam_usbauth.so
auth sufficient pam_unix.so
auth required pam_deny.so

Please note that, as long as pam_usbauth is in alpha state, it may be more secure to use:

auth sufficient pam_unix.so
auth sufficient pam_usbauth.so
auth required pam_deny.so

Then, pam_unix (the standard passwort authentication) will be used at first. If you want to get authenticated via USB, just type a blank password and PAM will try the next module in queue. This makes sense, because if you are in the very unlikely situation to download an unstable source from SVN and pam_usbauth.so is corrupt, PAM may not switch to the next module (pam_unix) and youd be not able to use the application anymore if you havnt direct root access to /etc when doing this. However, this case has never been reported and should be very, very unlikely to happen.

(5b.) If you have used the -w switch, uapasswd has hopefully already written the data to your USB device. If not, save your key (or the hash value of your key; whatever is defined in /etc/usbauth.conf) in a plain text file with carriage-return/line-feet at the end, with the format "USBAUTH passwordhash", and call dd if=yourfile of=yourdevice. This will not work when uapasswd has been called with -o, using one time passwords.

pam_usbauth now comes with a daemon called usbauthd by SVN Rev20. USBAuthd recognizes if USB devices, which have a predefined serial at /etc/usbauth.conf, are plugged in or plugged out. In the config file, you may specify the following two options:

action plugin any_shell_command...
action plugout any_shell_command...

You may specify up to 10 commands for each, plugging in and plugging out events. This may be useful to automatically lock the screen if the USB device is plugged out, for example. However, any command can be binded to those events.

A sample configuration file including the new options, may be found here. Note: usbauthd is alpha, I didnt have the time yet to really test it out (but it cant harm your system, just relax).

Note: If you have something like action plugout xscreensaver-command -lock in your config file and it doesnt work, keep sure that the user who calls usbauthd has the permission to open up connections to X, otherwise the command will fail (but you wont get an error message).

mod-auth-pipe is a module of authentication written for Apache 1 (it hasnt been tested with Apache 2, but it may work).

Actually, this module is just mod-auth-shadow with a few modifications in order to accept any program as a pipe, letting this one validate both users andr groups.

mod_auth_pipe contents the module itself and an example pipe.

mod-auth-pipe can be configured independantly for whole server, for any VirtualHost or just per Location/Directory. It has very few configuration variables and its format is very simple. In order to configure apache to authenticate, for example, access to the administrative interface of oscommerce you can type this on your httpd.conf:

< Directory /var/www/oscommerce/catalog/admin >
AuthType Basic
AuthName osCommerce admin site
AuthPipe on
AuthPipeProgram /usr/local/bin/auth-pipe
require group oscommerce-admins
< /Location >

This way, and with a well-made auth-pipe program you can be sure that only those within the group oscommerce-admins could enter that section of your web.

Yahoo::BBAuth is a Perl interface to the Yahoo! Browser-Based Authentication.

SYNOPSIS

my $bbauth = Yahoo::BBAuth->new(
appid => $appid,
secret => $secret,
);
# Create an authentication link
printf, $bbauth->auth_url;
# After the user authenticates successfully, Yahoo returns the user to the page you
# dictated when you signed up. To verify whether authentication succeeded, you need to
# validate the signature:
if ($bbauth->validate_sig()) {
print Authentication Successful;
} else {
print Authentication Failed. Error is: .$bbauth->sig_validation_error;
}
my $url = http://photos.yahooapis.com/V1.0/listAlbums;
my $xml = $bbauth->auth_ws_get_call($url);
unless ($xml) {
print WS call setup Failed. Error is: . $bbauth->access_credentials_error;
} else {
print Look at response for other errors or success: .$xml;
}

This module priovides you an Object Oriented interface for Yahoo! Browser-Based Authentication.

This module is ported from official PHP class library(http://developer.yahoo.com/auth/quickstart/bbauth_quickstart.zip).

mod_auth_pamacea is an Apache 2 module that performs PAM based authentication using a customizable login form.

Specifically, Basic Auth is not used because there is no feasible logout mechanism from a Basic Auth session, short of closing the browser. Limited authorization support is also provided.

There is no Apache 1 version of this module.

mod_auth_pamacea was written to replace a much older, home grown Apache 1 module that nobody understood anymore. While mod_auth_pamacea is also homegrown, it attempts to use whatever standards it can to increase the likelihood that others will find it useful, or at least minimally to ensure that somebody will be able to understand it in the future.

mod_auth_cookie_mysql2 is a rewrite of the mod_auth_cookie_mysql module for apache 1.3. Some features were added, some were forgotten.
The module is available for apache 1.3 (mod_auth_cookie_mysql1) and apache 2 (mod_auth_cookie_mysql2). It is tested with mysql 3.x/4.x and and 5.0.x.
The current version of of this module is version 0.7.
If you want to receive a message when a new version is released, please leave your e-mail address in the announcements field at the left top of this site. This will register you to a moderated mailing list. Your e-mail address, will be kept private, it isnt visible to other users and it will not be distributed.
Basic auth is a standard authentication method in the internet. Two big disadvantages are, that on every request the username and password are transmitted to the webserver and there is no possibility to log out without closing the webbrowser.
With this module you can authorize your users with cookies. An external script sets the cookie and this module checks it against a MySQL database. The username/password combination is only one time transferred to the webserver when the external authenticator script (which sets the cookie) checks the user data. The generated cookie consists only of random session data.
So you can, for example, authenticate the user and set the cookie in a ssl connection and then use the cookie in a non-ssl environment and nobody can spy the username/password. Since the cookie is only random session data nobody can "hack" the system by manipulating the cookie values. Additionally you can add checks for session expiry and the correct remote ip on the server side.
Main features:
- Fake Basic Auth with cookies
- Cookie only consists of random session data, no username or password
- Can check expiry information stored in database against cookie
- Can check if the remote IP is equal to the IP stored in database
Enhancements:
- bug fix: return-code of function check_valid_cookies not initialized - thanks to Valerii Valeev

CGI::Builder::Auth::GroupAdmin is a Perl module for the management of HTTP server group databases.

SYNOPSIS

use CGI::Builder::Auth::GroupAdmin ();

Pay no attention to that man behind the curtain! Move along, nothing to see here!

This module was originally part of the HTTPD-User-Manage collection, which is available on CPAN. If you want to use it, go download that package. This module is used as part of the internal implementation of CGI::Builder::Auth.

The original documentation is preserved here in this release for historical purposes. The software has been hacked and this documentation is not guaranteed to be correct. The module may disappear from the CGI::Builder::Auth distribution in a future release.

Do not use it directly or rely on it.
This software is meant to provide a generic interface that hides the inconsistencies across HTTP server implementations of user and group databases.