How to secure WebDAV with SSL and Two-Factor Authentication
Benefits of Using WebDAV
Web-based distributed authoring and versioning or WebDAV is the protocol that is creating the "read-write" web. It is facilitating collaboration in many ways across the internet, replacing proprietary protocols (FrontPage, e.g.) or superseding less functional open protocols ((FTP, SFTP). The primary drivers for the adoption of WebDAV include:
- WebDAV resources can be set up like local drives allowing you to work with remote files as if they were on your machine.
- It allows for "locking" of files so multiple users can work with a file at the same time, but only one at a time can make changes.
- It is more efficient than FTP or SFTP.. You can pipeline multiple transfers through a single TCP connection.
- It is an extension of HTTP and uses the same ports - 80 or 443, avoiding potential firewall issues.
- Support for WebDAV is available across multiple platforms creating a cross-platform solution.
However, as with all things Internet-related, security is an issue, particularly if you are dealing with confidential information. Yet companies always need to share information and work with outside personnel. It can be very tricky to collaborate with third-parties, yet still be able to authenticate users. How do you know that users aren't sharing a password? Yet, you don't want to provide a hardware token to a non-employee particularly for a short project, as you will more than likely never get it back.
A scenario where combining two-factor authentication with WebDAV might be for a public company that collaborates with an outside PR firm for financial releases. Knowledge of pending merger announcements or financial results is highly confidential corporate information and using two-factor authentication greatly reduces the risks of sharing static passwords. Many firms might also need to replace less-secure FTP services due to new compliance regulations.
For our purposes, a key benefit is that we can use the security tools available to protect HTTP services to protect WebDAV. In this how-to, we will create a secure WebDAV resource using Apache, Radius, SSL and two-factor authentication from WiKID Systems to set up secured remote drives on Windows, Mac and Linux machines.
DAV Commands
It is a good idea to get familiar with WebDAV. Here are the new methods WebDAV adds to HTTP 1.1, according to Wikipedia:
- PROPFIND: Used to retrieve properties, persisted as XML, from a resource. It is also overloaded to allow one to retrieve the collection structure (a.k.a. directory hierarchy) of a remote system.
- PROPPATCH: Used to change and delete multiple properties on a resource in a single atomic act.
- MKCOL: Used to create collections (a.k.a. directory).
- COPY: Used to copy a resource from one URI to another.
- MOVE: Used to move a resource from one URI to another.
- LOCK: Used to put a lock on a resource. WebDAV supports both shared and exclusive locks.
- UNLOCK: To remove a lock from a resource.
Configuring the Server
For any service to be secure, the underlying server also needs to be secure. Be sure that your server is locked down tight and always up-to-date. Please note that I used Apache version 2.2.2-1.2 installed via RPM on a Fedora Core 5 System. I was not able to get mod_auth working on httpd-2.2.3-5 and have heard the same of 2.4.
Create WebDAV directories
Create some directories for your user's files. You may even want to create individual directories:
mkdir /var/www/webdav/
mkdir /var/www/webdav/USERNAME
chown -R root:apache /var/www/webdav
chmod -R 750 /var/www/webdav
Note that the Apache user is the owner of these directories.
Configuring WiKID
The WiKID Strong Authentication System is a commercial/open source two-factor authentication solution. Unlike most offerings which use shared-secrets, it uses public key cryptography to securely transmit PINs and one-time passcodes between the server and software tokens. With WiKID the two-factors are possession of the private key and knowledge of the PIN. Because we are testing across Windows, Mac and Linux, the screenshots here are of the open-source J2SE WiKID token. The token client uses port 80, so again, there are no firewall concerns. More information on WiKID's technology can be found here.
Here's how it will work, when the user wants access to the WebDAV resource, they will be prompted for a username and password. The user generates the one-time passcode on their WiKID token and enters it into the password prompt. Apache will route the username and one-time password to the WiKID server via pam_auth_xradius. If the username and one-time password match what WiKID expects, the server will tell Apache to grant access. First, we add Apache to the WiKID Strong Authentication Server as a network client, then add radius to Apache. I assume you already have a WiKID domain and users setup - more information on how to install and confgure WiKID can be found here.
Start by adding a new Radius network client to the WiKID server for your web server:
- Log into WiKID server web interface (http://yourwikidserver/WiKIDAdim).
- Select Network Clients tab.
- Click on Create New Network Client"
- Fill in the requested information.
- For the IP Address, use the web server IP address
- For Protocol, select Radius
- Hit the Add button, and on the next page, enter a shared secret
- Do not enter anything into the Return Attribute box
- From the terminal or via ssh, run 'stop' and then 'start' to load the network client into the built-in WiKID radius server
That is it for the WiKID server. Now on to Apache.