So, I have a dekiwiki I use for some purpose or another, I wanted it to be used via https to ensure security (just general paranoia). That was fine to implement, however it needed authentication otherwise whats the point! So, I sat down and tried to figure out how to authenticate Apache2 against a MySQL database. There are lots of tools to do this, but luckily for me none of them work with Dekiwiki because the site doesn't store it's password in any normal way.

Normally Apache2 auth dbd expects the passwords to be stored as a simple hash but deki is more cunning:

crypt_pass = md5( user_id & "-" & md5( clear_password ) )

 Which is fun, so I had to go to mod_authnz_external , which frankly is a genius tool as far as this application is concerned. After enabling the mod, all I needed was:

AddExternalAuth dekisql-auth /usr/sbin/dekisql-auth.pl
SetExternalAuthMethod dekisql-auth pipe

This was in the body of the apache site config for ssl (within the section for <VirtualHost *:443>).

Then another section in there restricts access:

  <Location />
    SSLRequireSSL
    AuthType Basic
    AuthName "Deki - Restricted"
    AuthBasicProvider external
    AuthExternal dekisql-auth
    require valid-user
  </Location>

Then finally there is the script, all it happens to be is the SQL script supplied with the external authnz module with some changes:

 my $dbq = $dbh->prepare("select user_name as username, user_password as password, 
 user_id as userid from users where user_name like \'$user\' and user_active=1;");

and under the "accepted" conditional statement change it to

if ($row->{password} eq md5_hex($row->{userid} . '-' . md5_hex($pass))) {

To aid diagnostics I also added a line to the "else" after accepted to show what happened if the password was rejected:

 print STDERR  $row->{userid} . "  - " . md5_hex($row->{userid} . '-' . md5_hex($pass)) . "\n";

 That is all...

I hope perhaps you find this useful in getting your wiki secured. As always, I invite comment....

blog comments powered by Disqus