Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Problem with redirects! (M?rio Lopes)
2. Re: Seg Fault in rc3 in redirect function (Gavin Carr)
3. Re: Seg Fault in rc3 in redirect function (Gavin Carr)
4. Re: Problem with redirects! (Gavin Carr)
5. Re: Seg Fault in rc3 in redirect function (Gavin Carr)
6. Re: Seg Fault in rc3 in redirect function (Carl Johnstone)
7. TimeoutRefresh Paramter Not Working? (Clifton Lee)
----------------------------------------------------------------------
Message: 1
Date: Fri, 11 Apr 2008 01:50:15 +0100
From: M?rio Lopes <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Problem with redirects!
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
Hello everyone,
I've been fiddling with mod_auth_tkt for the last 6 hours and I've
finally given up on tinkering with Perl scripts and decided to ask for
some kind help :-)
Here's what's happening: mod_auth_tkt is working on a Debian Lenny
machine with Apache 2.2, but it's failing on these two very important
cases:
1) I have to directly copy the TKTAuthKey directive to within the
VirtualHost definition. If I leave it instead on, say, /conf.d/
auth_tkt.conf it will fail with the following error:
TKT valid_ticket: ticket found, but hash is invalid - digest
'bfe84fcb80099ab57a89943e57a99106', ticket
'd6f514e1b83520f248e853675bf3fbb3'
I've made sure files inside conf.d are being loaded before virtual
hosts.
2) The second issue is a complete show-stopper. When trying to have
multi-domain authentication (on this case, multi subdomain
authentication), the login.cgi script keeps redirecting from and to
the login script. For instance, if the login script is available @
http://in.a.domain.tld/login/login.cgi
and the second domain (protected) is http://in.b.domain.tld/
protected, it will start redirecting on an endless loop.
Apache's error_log outputs exactly the same error as seen on 1),
"ticket found, but hash is invalid".
I'd love to have this solved. I thought about rewriting the demo
scripts but it's a bunch of them so I guess there's an easier way.
Thanks in advance for any help.
Cheers,
M?rio
------------------------------
Message: 2
Date: Fri, 11 Apr 2008 12:33:15 +1000
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Seg Fault in rc3 in redirect function
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On Tue, Apr 08, 2008 at 09:49:38AM +0100, Carl Johnstone wrote:
> I've managed to generate a segmentation fault in mod_auth_tkt. I think I've
> probably not quite got my configuration right - I don't want auth_tkt to
> actually do an auth check, just to log the user if the ticket is valid.
>
> What I think is that because I don't have a login URL configured, when a
> previously valid cookie times out the module tries to redirect to a NULL URL
> which causes the fault.
>
> Please find below details of my config, system setup,and a backtrace.
Thanks for the report Carl, I'll take a look at it soon.
Cheers,
Gavin
------------------------------
Message: 3
Date: Fri, 11 Apr 2008 12:33:15 +1000
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Seg Fault in rc3 in redirect function
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On Tue, Apr 08, 2008 at 09:49:38AM +0100, Carl Johnstone wrote:
> I've managed to generate a segmentation fault in mod_auth_tkt. I think I've
> probably not quite got my configuration right - I don't want auth_tkt to
> actually do an auth check, just to log the user if the ticket is valid.
>
> What I think is that because I don't have a login URL configured, when a
> previously valid cookie times out the module tries to redirect to a NULL URL
> which causes the fault.
>
> Please find below details of my config, system setup,and a backtrace.
Thanks for the report Carl, I'll take a look at it soon.
Cheers,
Gavin
------------------------------
Message: 4
Date: Fri, 11 Apr 2008 14:09:56 +1000
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Problem with redirects!
To: M?rio Lopes <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Hi Mario,
On Fri, Apr 11, 2008 at 01:50:15AM +0100, M?rio Lopes wrote:
> Hello everyone,
>
> I've been fiddling with mod_auth_tkt for the last 6 hours and I've
> finally given up on tinkering with Perl scripts and decided to ask for
> some kind help :-)
>
> Here's what's happening: mod_auth_tkt is working on a Debian Lenny
> machine with Apache 2.2, but it's failing on these two very important
> cases:
>
> 1) I have to directly copy the TKTAuthKey directive to within the
> VirtualHost definition. If I leave it instead on, say, /conf.d/
> auth_tkt.conf it will fail with the following error:
>
> TKT valid_ticket: ticket found, but hash is invalid - digest
> 'bfe84fcb80099ab57a89943e57a99106', ticket
> 'd6f514e1b83520f248e853675bf3fbb3'
>
> I've made sure files inside conf.d are being loaded before virtual
> hosts.
That smells odd. If your virtual hosts were not seeing the secret at
all you'd get an error, so I'm guessing they're inheriting some secret
from somewhere, but not the one you expect. Try grepping for all
instances of TKTAuthSecret and check you don't have a bogus one
floating around somewhere in conf.d or conf.
> 2) The second issue is a complete show-stopper. When trying to have
> multi-domain authentication (on this case, multi subdomain
> authentication), the login.cgi script keeps redirecting from and to
> the login script. For instance, if the login script is available @
> http://in.a.domain.tld/login/login.cgi
> and the second domain (protected) is http://in.b.domain.tld/
> protected, it will start redirecting on an endless loop.
>
> Apache's error_log outputs exactly the same error as seen on 1),
> "ticket found, but hash is invalid".
You've got the login url unprotected, right? i.e. you can go to it
directly and get the login page?
If the two domains have different secrets or settings what should
happen is that you just get redirected back to the login page and
get the error. A redirect loop means something is seriously hosed.
Can you try putting your secrets and settings in two files in 'conf'
and then including them into your virtualhosts configs using
"Include <file"? That way you know exactly what's being included
and that you don't have differences between your versions.
Cheers,
Gavin
------------------------------
Message: 5
Date: Mon, 21 Apr 2008 19:47:33 +1000
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Seg Fault in rc3 in redirect function
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Hi Carl,
Got some time to look at this today - comments below.
On Tue, Apr 08, 2008 at 09:49:38AM +0100, Carl Johnstone wrote:
> I've managed to generate a segmentation fault in mod_auth_tkt. I think I've
> probably not quite got my configuration right - I don't want auth_tkt to
> actually do an auth check, just to log the user if the ticket is valid.
That's not that unusual a config, and we certainly have explicit tests for
this case in the test suite, so it should work fine.
> What I think is that because I don't have a login URL configured, when a
> previously valid cookie times out the module tries to redirect to a NULL URL
> which causes the fault.
Your backtrace isn't from the timeout case, it's from an initial connection
without a ticket, but the same segv is possible in the timeout case as well.
The segv is caused where you don't have a login url configured and the call to
setup_guest() fails for some reason. What I can't see at the moment is where
that call is failing. I've added some code to stop the prevent the segv, but
I need to understand why the setup_guest is failing too.
Could you please turn TKTAuthDebug on and send me the error log output from
just one request please? Also, can you confirm the behaviour you're seeing -
does this segfault every time, or is it only intermittent?
Cheers,
Gavin
> MODULE VERSION:
>
> Installed using the 2.0.0rc3 rpm for x86_64 available on the web site.
>
> CONFIG:
>
> TKTAuthGuestLogin on
> TKTAuthIgnoreIP on
> TKTAuthGuestUser -
> # next setting to match cookie expiry in Cat config
> TKTAuthTimeout 14days
>
>
> BACKTRACE:
>
> #0 0x00002aaaac7eba60 in strchr () from /lib64/libc.so.6
> #1 0x00002aaab559341f in redirect (r=0x55555c491388, location=0x0) at
> mod_auth_tkt.c:1110
> #2 0x00002aaab5593f80 in auth_tkt_check (r=0x55555c491388) at
> mod_auth_tkt.c:1322
> #3 0x0000555555579582 in ap_run_check_user_id () from
> /usr/sbin/httpd.worker
> #4 0x000055555557a797 in ap_process_request_internal () from
> /usr/sbin/httpd.worker
> #5 0x000055555558bd28 in ap_process_request () from /usr/sbin/httpd.worker
> #6 0x0000555555588fc0 in ap_register_input_filter () from
> /usr/sbin/httpd.worker
> #7 0x0000555555585422 in ap_run_process_connection () from
> /usr/sbin/httpd.worker
> #8 0x0000555555590485 in ap_graceful_stop_signalled () from
> /usr/sbin/httpd.worker
> #9 0x00002aaaac35d2f7 in start_thread () from /lib64/libpthread.so.0
> #10 0x00002aaaac84485d in clone () from /lib64/libc.so.6
>
>
> APACHE VERSION:
>
> # /usr/sbin/httpd.worker -V
> Server version: Apache/2.2.3
> Server built: Jan 11 2008 08:21:46
> Server's Module Magic Number: 20051115:3
> Server loaded: APR 1.2.7, APR-Util 1.2.7
> Compiled using: APR 1.2.7, APR-Util 1.2.7
> Architecture: 64-bit
> Server MPM: Worker
> threaded: yes (fixed thread count)
> forked: yes (variable process count)
> Server compiled with....
> -D APACHE_MPM_DIR="server/mpm/worker"
> -D APR_HAS_SENDFILE
> -D APR_HAS_MMAP
> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
> -D APR_USE_SYSVSEM_SERIALIZE
> -D APR_USE_PTHREAD_SERIALIZE
> -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
> -D APR_HAS_OTHER_CHILD
> -D AP_HAVE_RELIABLE_PIPED_LOGS
> -D DYNAMIC_MODULE_LIMIT=128
> -D HTTPD_ROOT="/etc/httpd"
> -D SUEXEC_BIN="/usr/sbin/suexec"
> -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
> -D DEFAULT_ERRORLOG="logs/error_log"
> -D AP_TYPES_CONFIG_FILE="conf/mime.types"
> -D SERVER_CONFIG_FILE="conf/httpd.conf"
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Register now and save $200. Hurry, offer ends at 11:59 p.m.,
> Monday, April 7! Use priority code J8TLD2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>
--
Gavin Carr
- http://www.openfusion.com.au - Linux, Perl, and Web Consulting
- http://www.openfusion.net - Hackery, the Blog
* Fashion is a variable, but style is a constant - Programming Perl
------------------------------
Message: 6
Date: Fri, 25 Apr 2008 16:41:20 +0100
From: "Carl Johnstone" <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Seg Fault in rc3 in redirect function
To: <modauthtkt-users@lists.sourceforge.net>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original
> Could you please turn TKTAuthDebug on and send me the error log output
> from
> just one request please?
[ mod_auth_tkt config ]
URI: /news/
Filename: proxy:balancer://catalyst/news/
TKTAuthSecret: ***REMOVED***
directory: /
TKTAuthLoginURL: (null)
TKTAuthTimeoutURL: (null)
TKTAuthPostTimeoutURL: (null)
TKTAuthUnauthURL: (null)
TKTAuthCookieName: auth_tkt
TKTAuthDomain: (null)
TKTAuthCookieExpires: -1
TKTAuthBackCookieName: (null)
TKTAuthBackArgName: back
TKTAuthIgnoreIP: 1
TKTAuthRequireSSL: -1
TKTAuthCookieSecure: -1
TKTAuthTimeoutMin: 14
TKTAuthTimeoutRefresh: 0.500000
TKTAuthGuestLogin: 1
TKTAuthGuestCookie: -1
TKTAuthGuestUser: -
TKTAuthGuestFallback -1
TKTAuthDebug: 3
> Also, can you confirm the behaviour you're seeing -
> does this segfault every time, or is it only intermittent?
It works fine for a few requests, then segfaults continuously.
Looking at the TKTAuthDebug, there's no difference between a request that
works and a request that segfaults.
Carl
------------------------------
Message: 7
Date: Mon, 19 May 2008 12:42:35 -0400
From: Clifton Lee <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] TimeoutRefresh Paramter Not Working?
To: "'modauthtkt-users@lists.sourceforge.net'"
<modauthtkt-users@lists.sourceforge.net>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
Hello all,
I am having problems where tickets appear to be timing out even though I
have set the TktAuthTimeoutRefresh parameter to 1.
In short, I am running two servers: a regular Apache server and a proxy
server, and I am using the mod_auth_tkt (2.0.0b7) on them. I've also
included a copy of the configurations set for both my proxy server and web
server. Users are able to get to my secure URL up until 30 minutes and then
at 31 minutes, they are redirected to the LoginURL. Has anyone seen this
type of behavoir before or can tell me what in my config files are causing
this?
Thanks,
Cliff Lee
PROXY Configuration
<Location /some_example_url>
AuthName "Organization Name"
AuthType Basic
TKTAuthIgnoreIP On
TKTAuthCookieSecure Off
TKTAuthCookieName mydomain
TKTAuthLoginURL https://sampledomain.com/index.html?rm=not_logged_in
<https://sampledomain.com/index.html?rm=not_logged_in>
TKTAuthUnauthURL https://sampledomain.com/index.html?rm=forbidden
<https://sampledomain.com/index.html?rm=forbidden>
TKTAuthTimeoutURL https://sampledomain.com/index.html?rm=timeout
<https://sampledomain.com/index.html?rm=timeout>
TKTAuthToken XX
TKTAuthTimeoutMin 30
TKTAuthTimeoutRefresh 1.00
Require valid-user
</Location>
WEB Configuration
<Location /some_example_url>
AuthName "Organization Name"
AuthType Basic
TKTAuthIgnoreIP On
TKTAuthCookieName mydomain
# will need to be ssl
TKTAuthLoginURL https://sampledomain.com/?rm=not_logged_in
<https://sampledomain.com/?rm=not_logged_in>
TKTAuthUnauthURL https://sampledomain.com/?rm=forbidden
<https://sampledomain.com/?rm=forbidden>
TKTAuthTimeoutURL https://sampledomain.com/?rm=timeout
<https://sampledomain.com/?rm=timeout>
TKTAuthToken CC
TKTAuthTimeoutMin 30
TKTAuthTimeoutRefresh 1.0
TKTAuthCookieSecure Off
Require valid-user
</Location>
*******************************************************************************
The views, opinions, and judgments expressed in this message are solely those
of the author. The message contents have not been reviewed or approved by the
UFT Welfare Fund.
*******************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 18, Issue 1
***********************************************
