Original code downloaded from https://sourceforge.net/projects/cosign…

…/files/cosign/cosign-3.2.0/

.gitignore

@@ -0,0 +1,22 @@
+Makefile
+autom4te.cache
+configure
+common/config.h
+config.log
+config.status
+cgi/cosign.cgi
+cgi/logout
+daemon/cosignd
+daemon/monster
+filters/apache/mod_cosign.so
+filters/apache2/.libs/
+filters/common/cosignpaths.h
+libsnet/config.h
+libsnet/libtool
+libsnet/profiled/
+version.c
+*.a
+*.la
+*.lo
+*.o
+*.slo

Contributors

@@ -0,0 +1,18 @@
+Tony Chan
+Kevin Coffman -- patch to avoid bug in krb5_verify_init_creds()
+Johanna Craig
+Wes Craig
+Chris Drummonds
+Bill Doster
+Larry Greenfield
+Dan Hyde
+Hugh C Kennedy
+Brett Lomas
+Jarod Malestein
+Kevin B. McGowan
+Mark Montague
+Andrew Mortensen
+Phil Pishioneri
+Paul Saxman
+Kris Steinhoff
+Simon Wilkinson

LICENSE

@@ -0,0 +1,17 @@
+Copyright (c) 2002 - 2004 Regents of The University of Michigan.
+All Rights Reserved.
+
+    Permission to use, copy, modify, and distribute this software and
+    its documentation for any purpose and without fee is hereby granted,
+    provided that the above copyright notice appears in all copies and
+    that both that copyright notice and this permission notice appear
+    in supporting documentation, and that the name of The University
+    of Michigan not be used in advertising or publicity pertaining to
+    distribution of the software without specific, written prior
+    permission. This software is supplied as is without expressed or
+    implied warranties of any kind.
+
+The University of Michigan
+c/o UM Webmaster Team
+Arbor Lakes
+Ann Arbor, MI  48105

Makefile.in

@@ -0,0 +1,70 @@
+srcdir=		@srcdir@
+
+CC=	@CC@
+ALL=	common libsnet libcgi cgi html daemon 
+FILTERS= @FILTERS@ 
+SERVER_TARGETS= cgi html daemon
+TARGETS= ${SERVER_TARGETS} ${FILTERS}
+OPTOPTS= @OPTOPTS@ @UNIVERSAL_OPTOPTS@
+CFLAGS=	${OPTOPTS} @CFLAGS@
+LDFLAGS= @LDFLAGS@
+
+filters:	${FILTERS}
+all:		filters
+server:		${ALL}
+everything:	${ALL} filters
+
+cgi daemon:	version.o common libsnet
+cgi:	libcgi
+
+${ALL}:	version.o
+
+${ALL} filters/apache filters/apache2 filters/lighttpd:	FRC
+	cd $@; ${MAKE} ${MFLAGS} all
+
+FRC:
+
+clean:
+	rm -f version.o
+	for i in ${ALL} ${FILTERS} ; \
+	    do (cd $$i; ${MAKE} ${MFLAGS} clean); \
+	done
+
+VERSION=3.2.0
+DISTDIR=../cosign-${VERSION}
+
+test : everything
+	(cd tests && sh ./tests.sh)
+
+dist   : distclean
+	mkdir ${DISTDIR}
+	tar -c -f - -X EXCLUDE . | tar xpf - -C ${DISTDIR}
+	echo ${VERSION} > ${DISTDIR}/VERSION
+	sed -e "s@INTERNAL@${VERSION}@" \
+		< configure.ac > ${DISTDIR}/configure.ac
+	cd "${DISTDIR}"; autoconf; rm -rf autom4te.cache
+
+distclean: clean
+	( cd libsnet ; make distclean )
+	( cd libcgi ; make distclean )
+	rm -f config.log config.status config.cache Makefile \
+	  libcgi/Makefile cgi/Makefile html/Makefile daemon/Makefile \
+	  filters/apache/Makefile filters/apache2/Makefile \
+	  common/Makefile version.c filters/common/cosignpaths.h
+	rm -rf autom4te.cache
+	( cd tests && rm -rf *.testlog CA certs cosign openssl.cnf tmp )
+
+install: @FILTERS@
+	for i in ${FILTERS}; \
+	    do (cd $$i; ${MAKE} ${MFLAGS} install); \
+	done
+
+install-server : server
+	for i in ${SERVER_TARGETS}; \
+	    do (cd $$i; ${MAKE} ${MFLAGS} install); \
+	done
+
+install-all : everything
+	for i in ${TARGETS}; \
+	    do (cd $$i; ${MAKE} ${MFLAGS} install); \
+	done

README

@@ -0,0 +1,232 @@
+These instructions are for building the Apache authentication filter.
+If you need to set up an entire weblogin infrastructure please see
+README.weblogin (for sites using Kerberos) or README.basicauth for any
+other AuthN backend.
+
+Before you begin:
+
+    For documentation and information see: http://weblogin.org/
+
+    To build a production Apache filter you need Apache 1.3.X or Apache
+    2.x.  If you happen to use the Apache 2.x filter in production,
+    please let us know about it. Your web server should have SSL enabled.
+
+    You will need OpenSSL 0.9.7a or newer.
+
+    You will need a source of entropy for the OpenSSL libraries to work.
+    If your system has /dev/*random then you're all set, otherwise you
+    should get something like prngd or egd.  Solaris users should refer
+    to document 27606 "Differing /dev/random support requirements within
+    Solaris [TM] Operating Environments" at <http://sunsolve.sun.com/>.
+    AIX users will want to get prngd.
+
+    If your cosign protected service needs kerberos credentials, you
+    will need MIT krb5-1.2.7 or later.  Kerberos libraries are not
+    required if you do not need access to kerberos credentials.  If you
+    are building a central weblogin server, see README.weblogin.
+
+To build the Apache authentication filter:
+
+    NOTE: On Redhat 9, kerberos is in a  non-standard place, and so, by
+    default, configure may not find it. So if you need to use kerberos
+    ticket transfers, you will need to do the following.
+
+    Add "env CPPFLAGS=-I/usr/kerberos/include" before you run configure.
+    So in csh your configure line will look  like this:
+
+	env CPPFLAGS=-I/usr/kerberos/include ./configure
+
+    and in bash or sh you'd type:
+
+	CPPFLAGS=-I/usr/kerberos/include ./configure
+
+To build:
+
+    ./configure --enable-apache1=/path/to/apache1/apxs
+	OR
+    ./configure --enable-apache2=/path/to/apache2/apxs
+    make
+    make install
+    mkdir -p /var/cosign/filter
+    chown APACHE_USER /var/cosign/filter
+
+    'make install' will install the filter using your copy of apxs.  Be
+    sure to change APACHE_USER to the username defined in your
+    httpd.conf file.
+
+    Users requiring kerberos tickets for their cosign-protected services
+    will want to add --enable-krb to the ./configure command line. GSSAPI
+    support in the filter can be added with --with-gss.
+
+    Mac OS X web administrators will likely want to include an additional
+    option to the ./configure command line, --enable-universal-binaries.
+    This option ensures that the resulting filter contains support for
+    four architectures, and will load with the version of Apache 2.x
+    included with recent versions of Mac OS X.
+
+Configure Apache ( U of M specific example ):
+
+    If you need a certificate, we can provide one signed by the umweb CA at
+    no cost. Self-signed certs will not work wih Cosign. You may also
+    purchase a commercial certificate. Please visit the Web Application
+    Sign-Up page at http://webservices.itcs.umich.edu/ for more info.
+
+    NOTE: When filling out the CSR, you will be prompted for the CN. It
+    says "Common Name (eg, YOUR name) []:" - despite what the prompt
+    says, you should type in the hostname of your webserver, eg
+    "deptwebserver.dept.umich.edu". Additionally, the state field should
+    read "Michigan" and not "MI".
+
+    In the U of M environment, you'll want your directives to look like
+    this:
+
+    On your http ( port 80 ) side, and any dirs or locations you want
+    exempt:
+
+	CosignProtected		Off
+
+    in :443 ( or otherwise https ) vhost
+
+    CosignProtected		On
+    CosignHostname		weblogin.umich.edu
+    CosignRedirect		https://weblogin.umich.edu/
+    CosignPostErrorRedirect https://weblogin.umich.edu/cosign/post_error.html
+    CosignService		<e-mail to [email protected] and we will assign>
+    CosignCrypto		/path/to/key /path/to/cert /path/to/CAdir
+    CosignValidReference	^https?:\/\/.*\.umich\.edu(/.*)?
+    CosignValidationErrorRedirect  http://weblogin.umich.edu/cosign/validation_error.html
+    <Location /cosign/valid>
+	SetHandler	cosign
+	CosignProtected	Off
+	Allow from all
+	Satisfy any
+    </Location>
+
+    NOTE: trailing slash is required on CosignRedirect! The redirects
+    won't work correctly without it.
+
+    ANOTHER NOTE: most mod_cosign options can be configured on a
+    per-directory basis. In order to have this flexibility, the
+    server-wide configurations must be listed "first" in the httpd.conf
+    file, before any per-directory configuration options.
+
+Stop and Start Apache
+
+See README.scripts for a cron job that prunes old cookies from the
+filter's database and scripts for local logout.
+
+--------
+Apache Configuration Options:
+
+	CosignProtected		[ on | off ]
+	    governs whether Cosign is invoked or not
+
+	CosignHostname		[ the name of the host running cosignd ]
+	CosignValidReference	[ a regular expression matching valid
+				service URLs. After the user logs into
+				a service, they are redirected to the
+				validation URL (e.g.,
+				https://mail.example.edu/cosign/valid),
+				where mod_cosign checks the user's cookie
+				and compares the service URL to the value
+				set by CosignValidReference. If the cookie
+				and service URL are good, mod_cosign
+				redirects to the service URL. ]
+	CosignValidationErrorRedirect	[ the URL to redirect to if the
+					validation handler URL cannot
+					validate the service cookie or the
+					service URL. ]
+	CosignRedirect		[ the URL of the cosign login cgi ]
+	CosignPostErrorRedirect	[ the URL to redirect to if the user
+				would be redirected to the login cgi
+				during a POST. This screen lets people
+				know we dropped their data. ]
+	CosignService		[ the name of the cosign service cookie ]
+	CosignSiteEntry		[ the URL to redirect to after login  ]
+	CosignCrypto		[path to key] [path to cert] [path to CA dir]
+	CosignRequireFactor	[ a list of the factors a user must satisfy ]
+	CosignFactorSuffix	[ optional factor suffix when testing
+				for compliance ]
+	CosignFactorSuffixIgnore	 [ on | off ]
+	CosignHttpOnly		[ on | off ]
+		module can be use without SSL - not recommended!
+	CosignTicketPrefix	[ the path to the Kerberos ticket store ]
+	CosignFilterDB		[ the path to the cosign filter DB]
+	CosignFilterHashLength	[ 0 | 1 | 2 ]
+	    subdir hash for cosign filter DB
+	CosignCheckIP           [ never | initial | always ]
+	    check browser's IP against cosignd's ip information
+	CosignProxyDB		[ the path to the cosign proxy DB]
+	CosignAllowPublicAccess		[ on | off ]
+	    make authentication optional for protected sites
+	CosignGetKerberosTickets	[ on | off ]
+	    module asks for tgt from cosignd
+	CosignKerberosSetupGSS		[ on | off ]
+	    setup the enviornment so that other apache modules
+	    that need GSSAPI/Kerberos work. e.g. IMP running under mod_php
+	CosignGetProxyCookies	[ on | off ]
+	    module asks for proxy cookies from cosignd
+
+	Cosign 3.0 introduces the validation handler URL for services,
+	allowing services to be more restrictive about redirections and
+	cookies within the cosign environment. Apache must be configured
+	to set mod_cosign as the handler for a special URI. Consult your
+	weblogin administrators for the correct settings in your own
+	environment. This Location block will generally be enough for
+	your cosign 3.0 service:
+
+	    <Location /cosign/valid>
+		SetHandler	cosign
+		CosignProtected	Off
+		Allow from any
+		Satisfy all
+	    </Location>
+
+	NOTE: a Location block for '/' in which CosignProtected is set to
+	On will override the /cosign/valid Location block. If you need to
+	cosign-protect the document root, set CosignProtected to On in the
+	virtual host context, not in the <Location /> block.
+
+The certificate CN of the weblogin server must match CosignHostname.
+
+--------
+./configure may take the following options:
+
+    --enable-krb=path_to_krb5		enables Kerberos V
+    --enable-apache1=path_to_apxs_1.3	enables Apache 1.3 filter
+    --enable-apache2=path_to_apxs_2	enables Apache 2 filter
+    --enable-universal-binaries		build universal binaries (Mac OS X)
+    --with-GSS				enables GSSAPI
+    --with-filterdb=DIR         	overrides default of /var/cosign/filter
+
+To make Cosign work with Apache's require directives, you should do the
+following:
+
+In httpd.conf, for the directory structure you want to Cosign Protect
+and use apache's require directives on, add the following line:
+
+    #this examples turn this on for everything
+    <Directory />
+	AllowOverride AuthConfig Limit
+    </Directory>
+
+This will allow you to use .htaccess files for Authorization. So now you
+can do something like this:
+
+    AuthType Cosign
+    require user wes canna clunis jarod
+
+This will make it so the core cosign development team can view the pages
+in this hypothetical directory. For more info on this, see Apache's docs
+on .htaccess.
+
+Alternatively you can just specify authorization information inline in
+httpd.conf:
+
+    <Directory />
+	AuthType Cosign
+	Require user grouch harpo chico
+    </Directory>
+
+This allows the marx brothers to exclude Zeppo ( and anyone else ) from
+accessing content on their webserver.