Menu

#83 Does username/password authentication work for anyone?

open
nobody
None
5
2005-09-22
2005-09-22
Mikhail T.
No

It seems, auth.tcl does not even see much of the Config
array -- because it is looking in Config() instead of
config::Config().

Correcting it exposes flat out errors suggesting, the
code has bit-rotted... Whatever I do, I can not seem to
login with neither Basic nor Digest mode.

Only the /debug thing works, but is a pain to memorize...

Does multi-user authentication work for anyone? I'm
using Tcl-8.4.11 (with Trf and Tls, if that matters).

Thanks!

Discussion

  • Asterix

    Asterix - 2005-10-09

    Logged In: YES
    user_id=1358943

    I encountered the same problem and just spent 2 days of
    manual tracing and debugging. I'm not a Tcl-expert and
    certainly not a tclhttpd-expert, but I found working
    solutions for the next problems:

    1. Config-parameters (see indicated problem above)
    Config-parameters specified in the used resource-file (e.g.
    "AuthUserFile" and "AuthGroupFile") are loaded into the
    variable config::Config() while the global variable Config()
    is used for configuring tclhttpd. I don't know if it is
    conceptually wrong but copying config::Config() to the
    global Config() variable seems to work for me.

    > File: ./tclhttpd3.5.1/lib/config.tcl
    > Location: proc config::init {config aname}
    > After:
    array set Config [interp eval $i {array get Config}]
    interp delete $i
    > Ad:
    # Copy all loaded config-parameters from the local Config array
    # to the global Config array through the upvar variable
    TheirConfig
    array set TheirConfig [array get Config]

    2. Group/user authorization
    Users are only authorized when they are specified (in the
    ".htaccess" file) as required user AND are a member of one
    of the specified required groups. Users should be authorized
    when they are EITHER specified as required user OR a member
    of one of the specified required groups.

    > File: ./tclhttpd3.5.1/lib/auth.tcl
    > Location: proc AuthUserOp {sock file op user}
    > Replace:
    if {[info exists info(htaccessp,require,$op,group)]} {
    if {![AuthGroupCheck $sock $file \ $info(htaccessp,require,$op,group) $user]} {
    return 0 ;# Not in a required group
    }
    }
    if {[info exists info(htaccessp,require,$op,user)]} {
    if {![AuthUserCheck $sock $file \ $info(htaccessp,require,$op,user) $user]} {
    return 0 ;# Not the required user
    }
    }
    return 1

    > By:
    # User is authorized if EITHER member of a group
    # OR specified individually
    if {[info exists info(htaccessp,require,$op,group)]} {
    if {[AuthGroupCheck $sock $file \ $info(htaccessp,require,$op,group) $user]} {
    return 1 ;# Member of required group
    }
    }
    if {[info exists info(htaccessp,require,$op,user)]} {
    if {[AuthUserCheck $sock $file \ $info(htaccessp,require,$op,user) $user]} {
    return 1 ;# Individually required user
    }
    }
    return 0

    Looking forward to your feedback.

     

  • Mikhail T.

    Mikhail T. - 2005-10-09

    Logged In: YES
    user_id=173641

    > array set Config [interp eval $i {array get Config}]

    We are in the same intepreter, just different namespace.
    This should work and be much more efficient:

    namespace import ::config::Config

    > Looking forward to your feedback

    I'm afraid, we are stuck here as the software seems
    abandoned... Unless someone picks it up, there is little
    point in discussions :-(

    Unless you have a ready patch for review :-)

     

  • Vince Thomas

    Vince Thomas - 2005-11-25

    Logged In: YES
    user_id=1388959

    I have followed along the same path. It seems pretty amazing
    that these bugs could have remained for so long.
    I have three comments,
    1 - Yes, the global Config isn't getting updated with values
    from the tclhttpd.rc for any fields that don't have command
    line options. In particular for Auth, AuthUserFile,
    AuthGroupFile.
    As you guys figured out the global Config array isn't
    updated from the config::Config array other than by using
    the values as defaults in the cmdline::getoptions routine. I
    think using the same name for variables in different
    namespaces is a bad idea and leads to just this sort of
    confusion. Even a filename, httpd.tcl, is reused in the bin
    and lib directory!
    Anyway my fix was to add these lines after the Config array
    is set from the cmdline::getoptions (line 195 in 3.5.2, line
    196 in cvs)

    set Config(Auth) [cget Auth]
    set Config(AuthUserFile) [cget AuthUserFile]
    set Config(AuthGroupFile) [cget AuthGroupFile]

    2 - When it does read the Auth correctly it then fails to
    use the password. Line 77 of auth.tcl (in 3.5.1) is
    set val [crypt $password $salt]
    and should be
    set val [crypt $val $salt]

    Of course this doesn't matter when you have set up the
    password file.

    3 - I don't see the problem elnarte sees. My understanding
    is that I should be able say

    <Limit GET POST>
    require group group1
    require group group2
    require valid-user
    </Limit>

    and then simply add new ids to the passwd and group files.
    This works in 3.5.1

     

Log in to post a comment.