Pubcookie Home > Documentation 
Pubcookie Homepage Pubcookie 3.2
Login Server Administration Guide
Component:  Pubcookie Login Server
Audience:  All
Modified:  June 17, 2005

Included on this page:

Installation Instructions Supplemental Topics
  • Overview
  • What's New
  • Upgrading & Compatibility
  • System Components
  • Basic Login Flavor
  • Authentication Types
  • Verifiers & Authentication Services
  • More About Abstractions
  • Building Components
  • SSL & Granting Key Pairs
  • Run-Time Config File Setup
  • Keyserver Setup
  • Key Management Methodology
  • Run Keyclient For Login Server
  • Deploying Login CGI
  • Testing Login CGI
  • Logging & Debugging
  • Login CGI Templates
  • Custom Login Messages
  • Browser Acceptance Configuration
  • Logout Configuration
  • Kiosk Configuration
  • Site Policy Configuration
  • Kerberos 5 Verifier Configuration
  • LDAP Verifier Configuration
  • Redundant Login Server Configuration
  • FastCGI Configuration
  • Supporting Application Servers
  • Appendix A: Apache Configuration
  • Appendix B: Permissions & Security
  • Appendix C: OpenSSL Commands
  • Overview

    This guide helps site administrators run a Pubcookie login server. Everything from setup and configuration to integration and customization is covered below.

    Application server administrators should refer to the Pubcookie Apache module guide or ISAPI filter guide for instructions on deploying a Pubcookie application server which authenticates using your local login server.

    What's New

    Significant improvements and changes to the login server components included in Pubcookie 3.2.1:

    • Added kerserver support for subjectAltName wildcards.
    • Fixed login cgi to put redirect messages into the normal audit logging stream.
    • Added login_host_cookie_domain to make login cookie domain configurable.
    • Added remote realm, if present, to authentication success message in flavor_basic logging.
    • Fixed LDAP verifier to default to LDAPv3 for all LDAP SDKs and added "x-Version" parameter to the LDAP URL.
    • Revised "fork" verifier to pass username and password via stdin to the forked executable. The config file variable has been changed from fork_exe to verify_exe to avoid accidentally running the wrong executable.

    Significant improvements and changes to the login server components included in Pubcookie 3.2.0:

    • Added support for custom per-application login messages
    • Added keyserver support to allow keyclient authentication by wildcard certificates and Subject Alt Names
    • Added keyserver support to allow keyclient certificates signed by untrusted CAs to cache a public key on the keyserver and use it in server authentication
    • Added keyclient -U <certfile> option for admins to upload a public key certificate to the keyserver
    • Added version string to login server template as HTML comment
    • Improved POST-based messaging between application servers and login server
    • Deprecated the use of third-party relay cgi

    See doc/CHANGES.txt for bug fixes and other improvements.

    Upgrading & Compatibility

    Sites upgrading from previous versions of the login server can build and install the new version while safely maintaining their existing configuration file (PREFIX/config) and login templates. Running make install will not overwrite these files. Note, however, that it will install new keyserver, keyclient, and login cgi binaries into PREFIX/keyserver, PREFIX/keyclient, and PREFIX/login/index.cgi, respectively. A new sample configuration file (PREFIX/config.login.sample) is installed and can be compared with your current configuration file.

    Sites upgrading to version 3.2 will need to update the following templates from PREFIX/login_templates.default. They contain new variable substitutions used by the new login cgi.

    • login (adds new %reason% and %version% variables)
    • form_expired (adds new %time variable)
    • logout_part2 (adds new %version% variable)
    • pinit_response2 (adds new %version% variable)

    Use diff to locate these differences relative to your current templates. This shouldn't be much work. There are only a few lines that have changed.

    Version 3.2 also adds several new templates (notok, notok_badagent, notok_form_multipart, notok_generic, and notok_need_ssl); and two templates have been removed (notok_part1, notok_part2). You will want to make sure you've updated your template directory accordingly.

    Compatibility note on third-party relays: The 3.2 login cgi deprecates the use of relays hosted on third-party servers. New POST-based messaging support allows use across DNS domains without the use of a separate relay cgi. To continue to support third-party cgi-based relays, YOU MUST USE the --enable-unsafe-relay configure option while building the login cgi. The other option is to upgrade application servers using third-party relays to use the version 3.2 modules. Once they're all using the new POST-based login method, there's no need to support third-party relays in your login cgi.

    System Components

    The Pubcookie login server really consists of two separate components with separate purposes:

    login server cgi
    The Pubcookie login server uses a CGI program to handle browser requests. This CGI program, hereafter referred to as the login cgi or index.cgi, is compiled from C and is a site's central Pubcookie component. End-users rely on it to authenticate; application servers rely on it for authentication assertions. The login cgi is typically powered by Apache HTTP Server software.
    The Pubcookie login server uses the keyserver component to generate and distribute symmetric encryption keys for participating servers, including your Pubcookie login server and all application servers. The keyserver runs as a service under inetd or xinetd.

    Basic Login Flavor

    The login cgi supports an abstraction called a login flavor. A login flavor encapsulates a specific set of functionality and features that influence how and when end-user authentication takes place.

    The distribution comes with one login flavor called the basic login flavor. This login flavor has a rich feature set, including single sign-on (SSO) user authentication, a pluggable backend authentication service interface, kiosk mode, and much more.

    This guide might, in fact, be described as a guide to the basic login flavor, it is so tailored to its installation and use.

    Authentication Types

    What the login cgi calls a login flavor, the application server components call an authentication type. The naming is rooted in Apache's AuthType directive and it's somewhat regrettable since they aren't quite the same thing.

    For now it's probably enough to say that, unless you build another login flavor, most application servers will be configured with a single choice of Pubcookie authentication types, one corresponding directly with the basic login flavor.

    How primary authentication takes place (that is, how usernames and passwords are actually authenticated) depends on how the basic login flavor verifies credentials with your backend authentication service.

    Verifiers & Authentication Services

    The basic login flavor performs username-and-password credential verification through a simple pluggable interface to backend authentication services. These plug-ins are called verifiers and the distribution comes with several:

    verifies credentials using a Kerberos 5 KDC
    verifies credentials using an LDAP server
    verifies credentials using /etc/shadow
    verifies credentials using custom forked program
    verifies all credentials as successful. good for testing.

    Compile-time decisions and run-time configuration determines which verifier is used by basic login flavor.

    More About Abstractions

    These login cgi abstractions help applications to remain independent of the method, or methods, used by the login server to authenticate user credentials.

    For example, a site might migrate from LDAP-based to Kerberos authentication. It's attractive to hide the transition from applications. Here applications would continue to use their institutional "netid" authentication type, corresponding with their site's basic login flavor, while the login server administrators transition, transparently, from one verifier to another.

    Other sites may want to be able to choose from different backend authentication services. For example, the University of Washington uses the basic login flavor along side and a more secure flavor that uses SecurID in addition to username and password for primary authentication. Applications choose which flavor they want by configuring the appropriate authentication type.

    Building Components

    The configure script included in the distribution helps you build and install the login cgi and keyserver according to your platform and individual preferences.

    To build and install a barebones login server for evaluation and testing, run the following commands:

    $ ./configure --enable-login --disable-apache
    $ make
    $ make install

    This builds the login cgi with support for the basic flavor and the "alwaystrue" verifier. It also builds the keyserver and keyclient binaries.

    Files are installed, and directories created, according to the default installation directory prefix, henceforth called PREFIX, which defaults to /usr/local/pubcookie. Use the --prefix configure option to define an alternative location.

    Review the results by listing the installation PREFIX directory contents.

    $ ls
    total 240
    -rw-r--r--  root  root    935 config                    # config file
    -rw-r--r--  root  root    935 config.login.sample       # sample config
    -rwxr-xr-x  root  root  92229 keyclient*                # keyclient
    drwxr-xr-x  root  root   4096 keys/                     # keystore
    -rwxr-xr-x  root  root  92929 keyserver*                # keyserver
    drwxr-xr-x  root  root   4096 login/                    # login cgi dir
    drwxr-xr-x  root  root   4096 login_templates/          # templates
    drwxr-xr-x  root  root   4096 login_templates.default/  # originals
    -rw-r--r--  root  root   2048 starter.key               # starter key
    $ ls login
    total 204
    drwxr-xr-x  root  root   4096 images/                   # images
    -rwxr-xr-x  root  root  99299 index.cgi*                # login cgi

    Note: initial file permissions assigned by the installation process may not be acceptable for production use. Please refer to Appendix B: Permissions & Security section for a discussion of this subject.

    Continue through the setup and configration instructions using the alwaystrue verifier. After you've gained some familiarity with a working system, you can rebuild the login cgi to use a different verifier that goes against your local authentication service. Review the configure help for the build options.

    $ ./configure --help

    Refer also to the Kerberos, LDAP, and FastCGI configuration sections.

    SSL & Granting Key Pairs

    SSL key pairs have several functions in the operation of a Pubcookie login server. One key pair may suffice for all of them, but two key pairs often works better in practice.

    SSL key pair:
    The SSL private key and certificate used to SSL-enable Apache can be reused for the first keypair. This key pair is particularly suited for use with the keyclient and keyserver because the SSL public key certificate most likely has been signed and issued by a trusted Certificate Authority. The login cgi also uses this key pair, but only for signing and verifying "login" cookies.

    Note: the login cgi and keyserver cannot read encrypted RSA private keys because they can't prompt for the passphrase. To reuse an encrypted SSL key, you'll first have to remove the passphrase. Refer to Appendix C: OpenSSL Commands for help.

    The ssl_key_file and ssl_cert_file config file variables will point to these keys.

    Granting key pair:
    A second key pair is used to sign and verify "granting" cookies, the authentication assertions generated and signed by the login cgi and verified by application servers. Here the certificate issuer isn't important, but the SSL public key certificate must be distributed to other servers. Therefore, a separate "granting" key pair is often used. Refer to Appendix C: OpenSSL Commands if you need help generating this key pair.

    The granting_cert_file and granting_key_file config file variables will point to these keys.

    Note: the key pairs described in this section (used for SSL and message signing primarily) are in addition to the symmetric encryption keys Pubcookie uses for data encryption.

    Run-Time Config File Setup

    The login cgi and keyserver share a run-time configuration file located at PREFIX/config. The file format is one attribute-value-pair per line, except where a trailing backslash \ character continues a value to the next line.

    A sample config file appropriate for a login server is provided (see PREFIX/config or PREFIX/config.login.sample if you're upgrading) as a starting point. It will look something like this:

    # 1 is a good starting point
    logging_level: 1
    # the credential verifier used by the basic flavor
    basic_verifier: alwaystrue
    # SSL session keypair
    ssl_key_file: /etc/httpd/conf/ssl.key/server.key
    ssl_cert_file: /etc/httpd/conf/ssl.crt/server.crt
    # granting keypair
    granting_key_file: /usr/local/pubcookie/keys/pubcookie_granting.key
    granting_cert_file: /usr/local/pubcookie/keys/pubcookie_granting.cert 
    # login server config
    logout_prog: /logout/index.cgi
    # keyserver config
    ssl_ca_file: /etc/httpd/conf/ssl.crt/ca-bundle.crt
    # site-specific policies
    default_l_expire: 8h

    Begin editing your config file, using the config file variable reference as needed for examples and descriptions.


    • See how several variables in the example above are derived from the login server name, This will be true for your config file too.

    • The example login server appears to be reusing its SSL key pair located in server.key and server.crt.

    • The example login server has a separate "granting" key pair. Refer to Appendix C: OpenSSL Commands if you need help generating this key pair.

    • The example keyserver appears to be using a file bundle of trusted Certificate Authorities (i.e., ca-bundle.crt). This file must contain all the trusted CA root certificates the site is using to verify keyclient certificates.

    Keyserver Setup

    Keyserver is designed to run as a service under inetd or xinetd.

    If you use inetd, add a line like the following to /etc/inetd.conf:

    2222  stream  tcp  nowait  root  /usr/local/pubcookie/keyserver keyserver

    If you use xinetd, create /etc/xinetd.d/keyserver with the following contents:

    # description: pubcookie keyserver
    service keyserver
    	type			= UNLISTED
    	protocol		= tcp
    	port			= 2222
    	disable			= no
    	socket_type		= stream
    	wait			= no
    	user			= root
    	group			= tty
    	server			= /usr/local/pubcookie/keyserver

    After adding the line to inetd.conf, or the file to xinetd, restart your inetd or xinetd service.

    Note: keyserver requires ssl_key_file and ssl_cert_file, and either ssl_ca_file or ssl_ca_path depending on how you handle trusted root CA certificates. Keyserver also uses granting_cert_file for distributing your "granting" certificate. And if you want control over which hosts can request keys, you can do so by defining a keyserver_client_list for authorizing new hosts.

    Key Management Methodology

    This section describes how symmetric encryption keys are managed by the Pubcookie keyserver. It issues keys to all participating servers, including all login servers and application servers.

    The keystore:
    A master copy of each 2048-byte DES key is stored on the login server in its keystore, PREFIX/keys, in a filename based on the server's SSL certificate's Common Name. For example, a site with a login server and three application servers might have a keystore like this:

    $ ls /usr/local/pubcookie/keys
    total 204
    -rw-r--r--  root  root   2048
    -rw-r--r--  root  root   2048
    -rw-r--r--  root  root   2048
    -rw-r--r--  root  root   2048
    -rw-r--r--  root  root    887 pubcookie_granting.key
    -rw-r--r--  root  root   1224 pubcookie_granting.cert

    New key generation:
    New keys are generated and issued by the keyserver upon request. Running keyclient on a host initiates the request. If the keyclient host is authorized, and the keyclient and keyserver trust each other, the request is fulfilled.

    New keyclient host authorization:
    If the keyserver_client_list config variable is set, keyserver performs authorization on all keyclient requests. If it is not set, keyserver will issue keys to any trusted keyclient.

    When authorization is enabled, grant-or-deny decisions are based on the presence a host in the keystore. If keyserver finds a host in the keystore, then that host can request a key. This seems like a catch-22: to create a new host key in the keystore, the key must already exist in the keystore. But it's not: site administrators can use the keyclient's "permit" option to authorize new servers to request keys. For example:

    $ keyclient -P
    Host is permitted

    This can be done manually by the login server administrator or by some kind of automated web-based registration service. The keyserver_client_list defines which hosts are authorized to use the permit option, allowing you to authorize new hosts without necessarily having to log in to the login server to do so.

    Trust: SSL/TLS mutual authentication
    Pubcookie uses elements of Public-Key Infrastructure (PKI) and SSL/TLS for mutual server authentication and data privacy between keyclient and keyserver. Trust is anchored by the Certificate Authorities used to sign, issue, and verify the certificates exchanged during keyclient connections.

    Mutual authentication means the keyclient and keyserver must identify each other. The keyclient must verify the SSL certificate presented by the keyserver. Likewise, the keyserver must verify the SSL certificates presented by keyclients. To do so, they both require trusted CA root certificates to do the verification. This is configured via ssl_ca_file or ssl_ca_path, which might point to your own institutional CA root certificate or pehaps the CA root certificate bundle that comes with OpenSSL, whatever you happen to be basing your trust policy on.

    Working with untrusted keyclients:
    An untrusted keyclient is one using a SSL certificate signed by a Certificate Authority the keyserver doesn't trust. To allow such keyclients to request keys without having to obtain another certificate, there's a workaround. The login server administrator can cache the keyclient's SSL certificate (public key) in the keystore. The keyserver can then use the public key itself to verify the keyclient. As a result, an otherwise untrusted keyclient can request keys without changing the overall CA trust policy and configuration.

    Note: the keyclient's -U cert_file option will upload a certificate to the keyserver, e.g.:

    $ ./keyclient -U

    This command can only be run from a trusted host, i.e. in the keyserver_client_list list.

    Run Keyclient For Login Server

    To generate a symmetric encryption key for your login server, copy the starter key found in the distribution into your keystore. Use your login_host name for the filename. For example:

    $ cd /usr/local/pubcookie
    $ cp starter.key keys/

    The starter key allows keyserver to initialize when the keystore would otherwise be empty. Now you should be able to run keyclient to request a new DES key for the login server based on your current config file settings:

    $ ./keyclient
    Set crypt key for

    Note: if keyclient is unable to set a new key, look in syslog for keyserver error messages.

    Deploying Login CGI

    The login cgi doesn't depend on its own filename or location, so your primary concern in deploying it should be to create a simple URL that's easy for users to recognize and trust with their password.

    The most common approach is to copy it from PREFIX/login/index.cgi to the server's root directory, resulting in a URL such as

    Refer to Appendix A: Apache Configuration if you're unfamiliar with the directives that control how Apache detects and handles cgi scripts, particularly as a directory index.

    Testing Login CGI

    The login cgi can be opened directly in a browser. This is sometimes called a pinit (for Pubcookie init, like kinit) since authentication is requested without being tied to an application. It's a good way to test your current config file and verifier. Go ahead and try it now. The login page you see comes from PREFIX/login_templates/login_pinit.

    If authentication succeeds, congratulations, you now can deploy an application server using the Pubcookie Apache module or Pubcookie ISAPI Filter to test the components together. Then you can go on to build and configure another verifier that goes against your authentication service and customize the login cgi templates for your site.

    If authentication fails, don't panic, look in your syslog for error messages from the login cgi and refer to the Logging & Debugging section for further advice.

    Logging & Debugging

    The login cgi uses syslog to log all messages. Logging can be configured using the logging_level variable. A value of 1 gets you basic audit activity such as logins and redirects which is most likely sufficient for normal operation. When additional debugging information is needed increase the value to 3.

    The keyserver also uses syslog and tends to log all critical error messages. Keyclient uses standard output for its messages.

    Login CGI Templates

    The login cgi creates login, logout, error, and redirect pages using HTML templates it reads from the PREFIX/login_templates directory. An alternative location can be defined using the template_root config file variable.

    Edit these templates to suit the naming and web design needs of your login server. A set of generic templates is copied into place during installation. A backup set is also copied to PREFIX/login_templates.default.

    Refer to the login cgi template reference for descriptions of each template.

    Note: For comparison purposes, templates (of some vintage) from Carnegie Mellon University and the Univerisity of Washington are provided in the distribution. See src/login_templates.cmu and src/login_templates.uw. Be warned, however, that the syntax for variable substitution within the templates has changed over time, and therefore the CMU and UWash templates may be slightly out-of-date.

    Custom Login Messages

    This is all about branding. Some application owners require branding of the login page with their own login prompt text and icons. The login cgi support this capability through the use of custom login message templates (small HTML snippets) configured on the login server. They can't take over the entire design of the login page, but it does provide a place for friendlier, custom messages.

    A custom login message applies to a single application, so the corresponding template is stored in a file according to the server name and application id. The file path is based on the custom_login_message_dir configuration variable (the directory containing all the custom login message templates, which defaults to the same directory as all the other login templates). The filename is based on the custom_login_file_prefix configuration variable (the filename prefix for all custom login message templates) plus the server name and application id.

    For example, to configure a custom login message for an application on with an application id of testapp, you would place the custom message (HTML snippet) in the following file (based on default values, of course):


    You can see where custom login messages are positioned relative to other elements on the login page by viewing the HTML source of the login template. They come just before the reason the user has to authenticate.

    Browser Acceptance Configuration

    The optional PREFIX/ok_browsers file contains a list of browsers accepted by the login cgi. This file provides a way to block browsers that either have a known security flaw (i.e., don't forget cookies when they should) or don't work with Pubcookie. The ok_browsers file is optional.

    Note: At the University of Washington, we've so far been too chicken to use the 'ok_browsers' functionality to block browsers that we suspect don't work. Our ok_browsers file has a single line: Mozilla. This pattern matches most of the browsers we support or encounter; which is mainly Internet Explorer, Netscape, Mozilla, and Safari.

    Logout Configuration

    The login cgi handles logout requests initiated by, and redirected from, applications configured with Pubcookie's per-application logout functionality. Handling these logout requests is built in; no configuration is necessary to the login cgi itself.

    However, through additional configuration you can create a separate, direct logout URL for your login server (e.g. You can also tailor the logout response messages for your favorite applications. Those are the two subjects of this section.

    Note: Pubcookie does not support "global" logout, that is, logout of all sessions, all cookies, all at once. Rather, it supports per-application-session logout with optional ability also to logout of the login server. Therefore, users still must be educated not to leave their browsers open and unattended without proper precautions such as locking their computer and using password-protected screensavers. Exiting the browser remains the best way for users to get logged out of everything at once.

    Configuring a Direct Logout URI:
    If you want to provide a URL where users can go directly to clear their single sign-on session (by way of clearning their "login" cookie), it can be created with the logout_prog config variable and a Unix symbolic link. Here's an example.

    Suppose the login cgi has been installed in the DocumentRoot directory (e.g. in /var/www/html) with a URL of To create a logout URI of /logout/ just below that, i.e.,, you'd do this:

    Change to the appropriate directory, create the subdirectory, and make the symbolic link to your login cgi:

    $ cd /var/www/html
    $ mkdir logout
    $ cd logout
    $ ln -s ../index.cgi index.cgi

    Adjust the directory according to the location of your login cgi. Now any request to /logout/ on the server will map to your login cgi.

    Now add the appropriate logout_prog variable to your config file:

    logout_prog: /logout/index.cgi

    Customizing Logout Responses For Special Apps:
    The login cgi builds logout response pages from several templates. One template, logout_app, which is the most specific to each application, can be overridden on a per-application basis, as configured and identified by the originating server name and application id. It requires one app_logout_string config file variable for each application, where the server name and id are tacked on using dashes. For example:

    # custom logout msgs \
              <font size="+1">Testapp logout worked just fine.</font> \
              <font size="+1">Webmail Logout Successful!</font>

    Note: Since the login cgi reads the config file and its HTML templates on each request, there's no need to recompile the login cgi in order to modify response messages.

    Kiosk Configuration

    Use the kiosk variable to apply a site policy for reduced single sign-on duration for identified kiosks. The login cgi supports matching by user-agent string, remote IP address, or IP address ranges. For example:

    kiosk:   20m Safari/85.6 \
             15m Safari \
             10m ExampleKiosk 140.142.21.* \

    This sets a curiously elaborate, but nonetheless illustrative, kiosk policy: a 20-minute SSO duration for Safari 85.6, a 15-minute SSO for all other versions of Safari, a 10-minute SSO to remote browsers with "ExampleKiosk" in the user-agent string as well as to the remote IP address and the 140.142.21 subdomain, and a one-hour SSO duration for IP addresses in the range

    Matching by user-agent string is particularly useful for applying reduced SSO to managed kiosks that have a locally customized user-agent string such as:

    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; ExampleKiosk; Windows NT 5.0)

    How to customize user-agent strings is beyond the scope of this guide, but resources and tools, such as the Internet Explorer Administration Kit, do exist to help with this task.

    Site Policy Configuration

    This section highlights some of the possible site policies you can define in your config file. These options may be overlooked, but they can enhance the user experience and shape the security policy of your login server.

    • Use default_l_expire to define your default single sign-on duration. Primary authentication occurs when user-provided credentials are verified directly. Subsequent authentication is based on checking the "login" cookie. This setting defines how long this cookie is valid.

    • Use form_expire_time to define how long users have to log in. Taking too long will result in a new login form (with the form_expired template message included). The default expiration is 60 seconds.

    • Use static_user_field to define the editability of the userid field during a single browsing session. You may want to allow some flexibility or force users to close the browser before switching between users.

    • Use the retain_username_on_failed_authn to define whether the userid is retained after a failed login attempt. Users will appreciate this if they mistyped their password, not their userid.

    • Use trim_username_to_atsign to define whether users can enter a userid that looks like an email address. Sites that aren't verifying full Kerberos principals (e.g. or userids that look like email addresses can use this feature to provide some flexibility in this regard, i.e., to trim off the extra realm info the user added and verify just the proper userid.

    Refer to the config file variable reference to review these variables and the values they take.

    Kerberos 5 Verifier Configuration

    To build the login cgi with support for the Kerberos 5 verifier, run the configure script with the Kerberos option enabled:

    ./configure --enable-login --disable-apache --enable-krb5

    If needed, the configure script has other options for adjusting the location of the Kerberos header files and libraries.

    To configure the login cgi to use the Kerberos verifier, edit your config file and set basic_verifier to kerberos_v5. Additionally, two other config file variables control the Kerberos 5 verifier: kerberos5_service_name and kerberos5_keytab. For example:

    # kerberos verifier config
    basic_verifier: kerberos_v5
    kerberos5_service_name: pubcookie
    kerberos5_keytab: /usr/local/pubcookie/keys/pubcookie.keytab

    Enable the append_realm variable if you want the Kerberos authentication realm to be appended to the user name after authentication but before issuing cookies (i.e., target servers will receive user@REALM.)

    Use the default_realm variable to define a default Kerberos authentication realm to pass to the verifier when none is submitted via the login form.

    To authenticate responses from your Kerberos server, the login server and Kerberos server must share a service key. You can use an existing service key or generate a new one with the help of your Kerberos administrator. Keep in mind that the keytab file that contains your service key must be readable by the login cgi. Since the login cgi will most likely run as a non-root user, it's recommended that you use a service key other than the "host" service key typically stored in /etc/krb5.keytab.

    Similar to user keys, service keys have a principal of the form <service_name>/<hostname>@<realm>. The hostname is the fully qualified hostname for your login server, and the realm is the Kerberos realm. But the service name is what counts most to the Kerberos 5 verifier. Your service name can be set with the kerberos5_service_name variable.

    Contact your local Kerberos domain administrator if you need help creating a service key, generating a keytab file, or otherwise configuring Kerberos (e.g. /etc/krb5.conf) on your login server.

    See doc/krb5-getcred.html for details on how to configure and use Kerberos credential passing.

    LDAP Verifier Configuration

    To build the login cgi with support for the LDAP verifier, run the configure script with the LDAP option enabled:

    ./configure --enable-login --disable-apache --enable-ldap

    If needed, the configure script has other options for adjusting the location of the LDAP header files and libraries.

    To configure the login cgi to use the LDAP verifier, edit your config file and set basic_verifier to ldap and set ldap_uri to your LDAP URI.

    Redundant Login Server Configuration

    The login cgi and keyserver can be deployed in a redundant configuration, provided that they share the same cluster name and settings. Use the login_servers variable to configure keyserver to push new keys to its peers.

    FastCGI Configuration

    The login cgi can run as a FastCGI process. This allows one or more instances of the login cgi to persist and handle many requests rather than just one.

    FastCGI support is enabled with the --with-fcgi=<path to fcgi> option. Example Apache configuration follows below; modify as needed.

    LoadModule fastcgi_module     libexec/
    FastCgiConfig \
           -appConnTimeout 0 \
           -idle-Timeout 30 \
           -init-start-delay 2 \
           -killInterval 300 \
           -listen-Queue-Depth 50 \
           -maxProcesses 10 \
           -maxClassProcesses 2 \
           -minProcesses 1 \
           -startDelay 10

    Supporting Application Servers

    To support application servers, other system administrators will need to know the location of your login server, keyserver, and how trust is handled on your keyserver. That is, which CAs the keyserver trusts to verify keyclient certificates; and which CA can be used by the keyclient to verify your keyserver certificate.

    Appendix A: Apache Configuration

    The default filename for the login cgi, index.cgi, is a common name for a cgi program that is executed when a directory's URL is requested. The DirectoryIndex directive defines how Apache handles such requests, typically choosing the first file it finds in its DirectoryIndex list. With appropriate configuration, this can be your login cgi.

    For example, you might use the follow DirectoryIndex directive:

    DirectoryIndex index.cgi index.html

    Apache also needs to know how to identify cgi scripts by the .cgi filename extension. Some distributions of Apache have the cgi handler disabled. Make sure the following line is in your httpd.conf and not commented out.

    AddHandler cgi-script .cgi

    Finally, Apache must allow execution of cgi scripts in the directory where the login cgi is located. If it's outside of a ScriptAlias directory, you can control this with the Options directive.

    Options Indexes FollowSymLinks ExecCGI

    Appendix B: Permissions & Security

    Due to the important nature of the Pubcookie login server, the only other services that should be run on the same system are those which receive an equally high level of scrutiny for security.

    Some of the login cgi's supporting files are sensitive, particularly the two private keys, ssl_key_file and granting_key_file. In a production environment, non-root users shouldn't be able to read these files.

    However, in a typical Apache configuration the login cgi runs within a restricted user context defined by the User and Group server directives. They are usually set to some non-privileged user and group (e.g. nobody.nobody).

    One approach to permissions is simply to make the sensitive files owned and readable by the non-privileged Apache user (nobody.nobody and octal 600, 700 for the keys directory).

    drwx------  nobody nobody   4096 keys/ 
    -rw-------  nobody nobody   4096 keys/pubcookie_granting.key
    -rw-------  nobody nobody   4096 keys/pubcookie_session.key

    Another approach is to run Apache as a non-privileged user but use a group that no users are allowed to be in (e.g. nobody.www where no users are in the www group). Then sensitive files can be restricted to just root and to the empty group (root.www and octal 640, 750 for the keys directory). Since the login cgi runs in the context of the group, it can read the files it needs to.

    drwxr-x---  root   www      4096 keys/ 
    -rw-r-----  root   www      4096 keys/pubcookie_granting.key
    -rw-r-----  root   www      4096 keys/pubcookie_session.key

    Note: since the keyserver is run by inetd or xinetd, it is most likely run as root and therefore can read and write supporting files as needed.

    Appendix C: OpenSSL Commands

    To generate a new RSA private key and self-signed public key certificate, (for example, for the "granting" key pair), change to the PREFIX/keys directory and use the following OpenSSL command as an example:

    $ cd /usr/local/pubcookie/keys
    $ openssl req -new -x509 -out pubcookie_granting.cert \
        -newkey rsa:1024 -nodes -keyout pubcookie_granting.key

    To remove the pass phrase on an SSL private key:

    $ openssl rsa -in server.key -out unencrypted.key

    The man pages for x509, rsa, and req have many other useful OpenSSL command examples.

    [Pubcookie Home Page]
    Copyright © 2002-2008 University of Washington
    UW Technology Services
    Pubcookie Contact Info
    Modified: June 17, 2005