Web2py and AFS authentication

Question

I would like to authenticate the users of my web2py application with AFS. Unfortunately, it seems like the pam.py module doesn't support AFS, only local users. Is it possible to do that with pam, or should I use something else?

Answer 1

Using PAM is probably what you want to do, since web2py doesn't have any built-in support for AFS or krb5. In order to authenticate non-local users, you would need to specify a different PAM service to authenticate to, and modify the local PAM configuration to make that service authenticate to AFS.

It looks like pam_auth.py module doesn't support using PAM services besides the default "login", but it looks simple to make it do so, or create your own. You just need to do something like this:

from gluon.contrib.pam import authenticate

def mypam_auth():
    def pam_auth_aux(username, password):
        return authenticate(username, password, "myservice")

auth.settings.login_methods.append(mypam_auth())

Where "myservice" is just a service name you choose. Then you need to modify the local PAM configuration to make "myservice" authenticate to AFS. On Linux, this usually means creating a file /etc/pam.d/myservice, and filling it with PAM configuration to authenticate to AFS.

Most AFS cells these days use Kerberos 5 for authentication, so this just means you need to authenticate to Kerberos 5, and don't need to bother any AFS stuff (unless you want to verify that the user has a valid AFS account; but that's more of a question of authorization than authentication). There are a few guides and examples for setting up PAM with krb5 logins, such as: http://techpubs.spinlocksolutions.com/dklar/kerberos.html#PAM_configuration

You can just try to follow one of those guides, but you probably only need the 'auth' section, since you don't need to worry about sessions and tickets and all of that. You may only need something like this in /etc/pam.d/myservice:

auth required pam_krb5.so no_ccache use_first_pass
auth required pam_deny.so

If by "AFS authentication" you mean the old kaserver krb4-based authentication instead of krb5 (that is, you use 'klog' to authenticate to AFS, instead of 'kinit' and 'aklog' or 'klog.krb5'), you would instead need to use the pam_afs.so PAM module. Something like this might work:

auth required pam_afs.so use_first_pass
auth required pam_deny.so

If you don't have control over the local PAM configuration on the local machine, you can instead try to authenticate users by spawning a 'kinit' (krb5) or 'klog' (old kaserver) command, and giving the command a password on it's standard input. That's not very elegant, but it should work.

Answer 2

Since web2py is web-based, and since AFS uses Kerberos, you'll certainly need to pass a Kerberos ticket between the user and the web2py layer, so as to let web2py obtain an AFS token in the name of the user.

You can authenticate a browser to a web server using Kerberos with SPNEGO. The browser needs to be configured to allow delegation (as described in this example with a Java SPNEGO filter).

If you manage to get a delegated Kerberos ticket once in your web2py application, you should be able to use aklog to get the AFS token.

I'm not very familiar with web2py, but a quick look at the documentation doesn't show much indication for support for SPNEGO: you may have to implement it yourself. (If you can find an existing GSS library that support it, it should "only" be a matter of passing the SPNEGO tokens back and forth between the browser and this library, provided it's configured properly. This may be a bit off-topic in Python, but this Java/JGSS tutorial could give you an indication of what's required, if you find a Python equivalent to JGSS.)

Beware not to share your AFS tokens for all incoming requests (potentially from different users) under the same process user running web2py. You may want to consider looking into PAGs (process authentication groups) from the web2py layer. You'll need to tie back these processes to the request arriving to web2py.