Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: Catalyst, Apache::AuthTkt, 2.0.0 final (Peter Karman)
2. Apache::AuthTkt Patch (Jose Luis Martinez)
3. Re: Apache::AuthTkt Patch (Peter Karman)
4. Re: Catalyst, Apache::AuthTkt, 2.0.0 final (Peter Karman)
5. Re: Catalyst, Apache::AuthTkt, 2.0.0 final (Gavin Carr)
----------------------------------------------------------------------
Message: 1
Date: Tue, 15 Jan 2008 15:47:32 -0600
From: Peter Karman <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Catalyst, Apache::AuthTkt, 2.0.0 final
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
On 01/15/2008 03:45 PM, Peter Karman wrote:
> (1) Apache::AuthTkt 0.07 is now on CPAN with the parse_ticket() method added.
> Thanks to
> Gaven for expediting that feature.
>
sorry, that should be Gavin with an 'i'.
/me winces at misspelling the author's name...
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
Message: 2
Date: Wed, 16 Jan 2008 16:14:17 +0100
From: Jose Luis Martinez <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Apache::AuthTkt Patch
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Hi everyone,
Just new here on the list. We have been using mod_auth_tkt for a couple
of projects, and were eager to get on the parse_ticket code to do some
ticket validation without depending on the module.
We have run into one big thing while doing tests with the
Apache::AuthTkt module. The parse_ticket is only returning the ticket
data, but not verifying it's integrity (with the hashing scheme), so if
you are relying on that functionality for authentication purposes, you
can inject tampered cookies (cookies generated with other secrets,
changed userids, etc).
The way the parse_ticket method was documented wasn't misguiding us to
believe that on error (MD5 hash not good), the parse_ticket would return
undef.
Ton Voon and I have patched the module, adding a valid_ticket method,
and leaving the parse_ticket functionality, just in case someone wants
to use that. We have also factored out the digest generation routine (so
valid_ticket could call it cleanly). Test suite and documentation is
included.
Best Regards,
Jose Luis Martinez
[EMAIL PROTECTED]
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: valid_ticket.patch
------------------------------
Message: 3
Date: Thu, 17 Jan 2008 09:43:47 -0600
From: Peter Karman <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Apache::AuthTkt Patch
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
On 01/16/2008 09:14 AM, Jose Luis Martinez wrote:
>
> The way the parse_ticket method was documented wasn't misguiding us
> to believe that on error (MD5 hash not good), the parse_ticket would
> return undef.
>
Yes, I see what you mean about the parse_ticket() documentation being
misleading. 0.07
uses the word 'validate' which the method doesn't actually do beyond making
sure the
ticket looks like a "reasonable" ticket, in just the way that the C
parse_ticket function
does.
I like your patch. Gavin, thoughts?
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
Message: 4
Date: Tue, 22 Jan 2008 09:53:37 -0600
From: Peter Karman <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Catalyst, Apache::AuthTkt, 2.0.0 final
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
On 12/19/2007 03:39 AM, Gavin Carr wrote:
> Test mod_auth_tkt under apache 2.2 with various parameters
> and confirm what works and what doesn't?
>
> See if you can get the mod_auth_tkt test suite to work for
> you?
>
I've just run the mod_auth_tkt test suite under Apache 2.0.63 and 2.2.6 and get
the same
failing tests under both. I'm going to start working on figuring out why, but
would love
it if someone else could run a quick make test on their own system(s) and
confirm what I
am seeing. Here's my summary info:
% uname -a
Linux dewpoint 2.6.16.54-0.2.3-smp #1 SMP Thu Nov 22 18:32:07 UTC 2007 x86_64
x86_64
x86_64 GNU/Linux
Apache 2.0.63
Failed Test Stat Wstat Total Fail List of Failed
-------------------------------------------------------------------------------
t/01_basic.t 7 2 4-5
t/02_bad.t 8 1 4
t/03_ignore_ip.t 6 1 6
t/05_tokens.t 13 4 6-9
t/07_guest_login.t 6 2 3 6
t/07_guest_login_nocookie.t 11 2 3 8
t/08_guest_user.t 22 2 3 6
t/09_guest_not_allowed.t 5 2 4-5
t/10_cookie_expiry.t 255 65280 28 10 4 7 10 13 16 19 22 25 28
t/12_cookie_secure.t 8 2 4 7
t/30_vhost_local_secret.t 7 2 4-5
t/31_vhost_global_secret.t 7 2 4-5
t/40_htaccess.t 9 4 4-7
3 tests skipped.
Failed 13/17 test scripts. 35/139 subtests failed.
Files=17, Tests=139, 6 wallclock secs ( 3.95 cusr + 0.84 csys = 4.79 CPU)
Failed 13/17 test programs. 35/139 subtests failed.
Apache 2.2.6
Failed Test Stat Wstat Total Fail List of Failed
-------------------------------------------------------------------------------
t/01_basic.t 7 2 4-5
t/02_bad.t 8 1 4
t/03_ignore_ip.t 6 1 6
t/05_tokens.t 13 4 6-9
t/07_guest_login.t 6 2 3 6
t/07_guest_login_nocookie.t 11 2 3 8
t/08_guest_user.t 22 2 3 6
t/09_guest_not_allowed.t 5 2 4-5
t/10_cookie_expiry.t 255 65280 28 10 4 7 10 13 16 19 22 25 28
t/12_cookie_secure.t 8 2 4 7
t/30_vhost_local_secret.t 7 2 4-5
t/31_vhost_global_secret.t 7 2 4-5
t/40_htaccess.t 9 4 4-7
3 tests skipped.
Failed 13/17 test scripts. 35/139 subtests failed.
Files=17, Tests=139, 6 wallclock secs ( 3.96 cusr + 0.81 csys = 4.77 CPU)
Failed 13/17 test programs. 35/139 subtests failed.
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
Message: 5
Date: Wed, 23 Jan 2008 12:12:39 +1100
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Catalyst, Apache::AuthTkt, 2.0.0 final
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Hi Peter,
On Tue, Jan 22, 2008 at 09:53:37AM -0600, Peter Karman wrote:
> On 12/19/2007 03:39 AM, Gavin Carr wrote:
> > Test mod_auth_tkt under apache 2.2 with various parameters
> > and confirm what works and what doesn't?
> >
> > See if you can get the mod_auth_tkt test suite to work for
> > you?
>
> I've just run the mod_auth_tkt test suite under Apache 2.0.63 and 2.2.6 and
> get the same
> failing tests under both. I'm going to start working on figuring out why, but
> would love
> it if someone else could run a quick make test on their own system(s) and
> confirm what I
> am seeing. Here's my summary info:
>
> % uname -a
> Linux dewpoint 2.6.16.54-0.2.3-smp #1 SMP Thu Nov 22 18:32:07 UTC 2007 x86_64
> x86_64
> x86_64 GNU/Linux
>
> Apache 2.0.63
> Failed Test Stat Wstat Total Fail List of Failed
> -------------------------------------------------------------------------------
> t/01_basic.t 7 2 4-5
> t/02_bad.t 8 1 4
> t/03_ignore_ip.t 6 1 6
> t/05_tokens.t 13 4 6-9
> t/07_guest_login.t 6 2 3 6
> t/07_guest_login_nocookie.t 11 2 3 8
> t/08_guest_user.t 22 2 3 6
> t/09_guest_not_allowed.t 5 2 4-5
> t/10_cookie_expiry.t 255 65280 28 10 4 7 10 13 16 19 22 25 28
> t/12_cookie_secure.t 8 2 4 7
> t/30_vhost_local_secret.t 7 2 4-5
> t/31_vhost_global_secret.t 7 2 4-5
> t/40_htaccess.t 9 4 4-7
> 3 tests skipped.
> Failed 13/17 test scripts. 35/139 subtests failed.
> Files=17, Tests=139, 6 wallclock secs ( 3.95 cusr + 0.84 csys = 4.79 CPU)
> Failed 13/17 test programs. 35/139 subtests failed.
>
> Apache 2.2.6
> Failed Test Stat Wstat Total Fail List of Failed
> -------------------------------------------------------------------------------
> t/01_basic.t 7 2 4-5
> t/02_bad.t 8 1 4
> t/03_ignore_ip.t 6 1 6
> t/05_tokens.t 13 4 6-9
> t/07_guest_login.t 6 2 3 6
> t/07_guest_login_nocookie.t 11 2 3 8
> t/08_guest_user.t 22 2 3 6
> t/09_guest_not_allowed.t 5 2 4-5
> t/10_cookie_expiry.t 255 65280 28 10 4 7 10 13 16 19 22 25 28
> t/12_cookie_secure.t 8 2 4 7
> t/30_vhost_local_secret.t 7 2 4-5
> t/31_vhost_global_secret.t 7 2 4-5
> t/40_htaccess.t 9 4 4-7
> 3 tests skipped.
> Failed 13/17 test scripts. 35/139 subtests failed.
> Files=17, Tests=139, 6 wallclock secs ( 3.96 cusr + 0.81 csys = 4.77 CPU)
> Failed 13/17 test programs. 35/139 subtests failed.
I've just double-checked things my end to give you some more datapoints.
The tests all pass for me on CentOS 4 with apache 2.0.52 (RH version). On
CentOS 5 with apache 2.2.3 (RH) I get multiple failures:
Failed Test Stat Wstat Total Fail Failed List of Failed
-------------------------------------------------------------------------------
t/01_basic.t 7 2 28.57% 4-5
t/02_bad.t 8 1 12.50% 4
t/03_ignore_ip.t 6 1 16.67% 6
t/05_tokens.t 13 4 30.77% 6-9
t/07_guest_login.t 6 1 16.67% 3
t/07_guest_login_nocookie.t 11 2 18.18% 3 8
t/08_guest_user.t 22 1 4.55% 3
t/09_guest_not_allowed.t 5 2 40.00% 4-5
t/30_vhost_local_secret.t 7 2 28.57% 4-5
t/31_vhost_global_secret.t 7 2 28.57% 4-5
t/40_htaccess.t 9 4 44.44% 4-7
3 tests skipped.
Failed 11/17 test scripts, 35.29% okay. 22/139 subtests failed, 84.17% okay.
[warning] server nox.openfusion.com.au:8529 shutdown
[ error] error running tests (please examine t/logs/error_log)
make: *** [test] Error 1
Looks mostly similar to yours. I might have some time to play with this
tomorrow, so let me know how you go.
This is against the version here:
http://www.openfusion.com.au/bzr/mod_auth_tkt/dev/
which is reasonably close to 2.0.0b2.
Cheers,
Gavin
------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 15, Issue 2
***********************************************
