Send modauthtkt-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: patch to check X-Forwarded-For IP address (Carl Johnstone)
2. Redirects.. (M?rio Lopes)
3. Re: Redirects.. (M?rio Lopes)
4. Re: Redirects.. (Peter Karman)
5. Re: Redirects.. (Gavin Carr)
6. Re: Avoiding fallback to apache basic auth ... (Charlie Brady)
7. Re: Avoiding fallback to apache basic auth ... (Charlie Brady)
8. Re: Redirects.. (M?rio Lopes)
----------------------------------------------------------------------
Message: 1
Date: Thu, 9 Oct 2008 11:14:11 +0100
From: "Carl Johnstone" <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] patch to check X-Forwarded-For IP
address
To: "Peter Karman" <[EMAIL PROTECTED]>
Cc: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original
From: "Peter Karman"
> Took me awhile to figure out that running the auth on the backend server
> in a reverse proxy set up was not working because it wasn't getting the
> IP address to check from the right place. This seems to fix the issue.
> Note that it does not address the case where there are multiple proxies
> involved.
You can't blindly take the IP from the X-Forwarded-For HTTP header.
Non proxied clients can be sent a request which includes a spoofed IP, they
will then take the IP from the header. So you can pretend to be from any IP
which makes IP checking useless. (A security flaw?)
The best way of dealing with this situation is through a configuration
setting, so that if you are behind a proxy you turn on the option that then
checks the header.
Carl
------------------------------
Message: 2
Date: Mon, 13 Oct 2008 17:01:43 +0100
From: M?rio Lopes <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Redirects..
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
Hi,
I've set up modauth-tkt with a login domain (intra.website.com) and
several subdomains (svn.intra.website.com, etc..). The TKTAuthDomain
is set to .intra.website.com and the cookie is being properly set. But
when it times out, it enters on a redirect loop. I have to manually
delete the auth-tkt cookie so it asks for login again.
Any ideas on what could be the cause for such behavior?
Thanks.
M?rio
------------------------------
Message: 3
Date: Tue, 21 Oct 2008 12:34:30 +0100
From: M?rio Lopes <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Redirects..
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
On Oct 14, 2008, at 1:48 AM, Peter Karman wrote:
> M?rio Lopes wrote on 10/13/08 11:01 AM:
>> Hi,
>>
>> I've set up modauth-tkt with a login domain (intra.website.com) and
>> several subdomains (svn.intra.website.com, etc..). The TKTAuthDomain
>> is set to .intra.website.com and the cookie is being properly set.
>> But
>> when it times out, it enters on a redirect loop. I have to manually
>> delete the auth-tkt cookie so it asks for login again.
>>
>> Any ideas on what could be the cause for such behavior?
>>
>
> without seeing your apache config, it's anyone's guess.
You're right.
This is the apache config file for the login domain:
<VirtualHost intra.website.com:80>
ServerName intra.website.com
DocumentRoot /var/www/intra-login
LogLevel Debug
Include auth_tkt.conf
Alias /login "/var/www/intra-login/"
<Location /login>
Options +ExecCGI +FollowSymLinks -Indexes
AddHandler cgi-script .cgi
TKTAuthTimeout 0
TKTAuthDomain .intra.website.com
</Location>
</VirtualHost>
This is the apache config file for the other subdomains:
<VirtualHost trac.intra.website.com:80>
ServerName trac.intra.website.com
Include auth_tkt.conf
<Location />
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnvParentDir /opt/trac
PythonOption TracUriRoot /
AuthType Basic
TKTAuthLoginURL http://intra.website.com/login/autologin.cgi
TKTAuthTimeout 0
TKTAuthDomain .intra.website.com
require valid-user
</Location>
</VirtualHost>
It works fine for a couple of hours and then it starts bouncing around
between the login domain and the referrer domain.
Any ideas?
Much appreciated.
M?rio
------------------------------
Message: 4
Date: Tue, 21 Oct 2008 11:34:34 -0500
From: Peter Karman <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Redirects..
To: M?rio Lopes <[EMAIL PROTECTED]>
Cc: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
M?rio Lopes wrote on 10/21/2008 06:34 AM:
> On Oct 14, 2008, at 1:48 AM, Peter Karman wrote:
>
>> M?rio Lopes wrote on 10/13/08 11:01 AM:
>>> Hi,
>>>
>>> I've set up modauth-tkt with a login domain (intra.website.com) and
>>> several subdomains (svn.intra.website.com, etc..). The TKTAuthDomain
>>> is set to .intra.website.com and the cookie is being properly set.
>>> But
>>> when it times out, it enters on a redirect loop. I have to manually
>>> delete the auth-tkt cookie so it asks for login again.
>>>
>>> Any ideas on what could be the cause for such behavior?
>>>
>> without seeing your apache config, it's anyone's guess.
>
> You're right.
>
> This is the apache config file for the login domain:
> TKTAuthTimeout 0
> TKTAuthTimeout 0
Not sure if its the culprit (I doubt it in fact), but I find those
timeout values suspicious. Maybe set them for a week or two instead of
turning it off, and/or use TKTAuthTimeoutRefresh
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
Message: 5
Date: Wed, 22 Oct 2008 09:52:42 +1100
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Redirects..
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On Tue, Oct 21, 2008 at 11:34:34AM -0500, Peter Karman wrote:
> M??rio Lopes wrote on 10/21/2008 06:34 AM:
> > On Oct 14, 2008, at 1:48 AM, Peter Karman wrote:
> >
> >> M??rio Lopes wrote on 10/13/08 11:01 AM:
> >>> Hi,
> >>>
> >>> I've set up modauth-tkt with a login domain (intra.website.com) and
> >>> several subdomains (svn.intra.website.com, etc..). The TKTAuthDomain
> >>> is set to .intra.website.com and the cookie is being properly set.
> >>> But
> >>> when it times out, it enters on a redirect loop. I have to manually
> >>> delete the auth-tkt cookie so it asks for login again.
> >>>
> >>> Any ideas on what could be the cause for such behavior?
> >>>
> >> without seeing your apache config, it's anyone's guess.
> >
> > You're right.
> >
> > This is the apache config file for the login domain:
>
> > TKTAuthTimeout 0
>
>
> > TKTAuthTimeout 0
>
> Not sure if its the culprit (I doubt it in fact), but I find those
> timeout values suspicious. Maybe set them for a week or two instead of
> turning it off, and/or use TKTAuthTimeoutRefresh
My suspicion would be the same as Peter's - since "TktAuthTimeout 0" allows
replay attacks, it probably hasn't been tested much.
Try setting the timeout to 5m and see if everything works correctly after
the ticket has timed out (i.e. do you still get redirect loops then, or not?).
If not, then reconfirm it's still happening with "TKTAuthTimeout 0" and
post back here, and we'll investigate.
Cheers,
Gavin
------------------------------
Message: 6
Date: Mon, 27 Oct 2008 10:12:48 -0400 (EDT)
From: Charlie Brady <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Avoiding fallback to apache basic auth
...
To: Gavin Carr <[EMAIL PROTECTED]>
Cc: [email protected]
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Sat, 19 Jul 2008, Gavin Carr wrote:
> On Wed, Jul 16, 2008 at 04:03:34PM -0400, Charlie Brady wrote:
>>
>> I have a situation where a user has a valid ticket, but they don't satisfy
>> "require user xxx" for the location they are accessing. I would like to
>> display a 403 page at that stage, but instead The browser pops up a basic
>> auth login popup.
>>
>> Is there a way to disable that, or to configure apache so that doesn't
>> occur?
>
> This has been on my nice-to-have list for ever, but I don't know of
> any way to do it atm. I suspect that mod_auth_tkt isn't handling enough
> of the Basic Authentication handshaking for apache in this case, and so
> the builtin logic takes over.
>
> Patches welcome.
I think that what's required is an authorization check callback, which
would be somethink like cut and paste from check_user_access() in
modules/aaa/mod_auth.c.
---
Charlie
------------------------------
Message: 7
Date: Mon, 27 Oct 2008 16:15:39 -0400 (EDT)
From: Charlie Brady <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Avoiding fallback to apache basic auth
...
To: Gavin Carr <[EMAIL PROTECTED]>
Cc: [email protected]
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Mon, 27 Oct 2008, Charlie Brady wrote:
> On Sat, 19 Jul 2008, Gavin Carr wrote:
>
>> This has been on my nice-to-have list for ever, but I don't know of
>> any way to do it atm. I suspect that mod_auth_tkt isn't handling enough
>> of the Basic Authentication handshaking for apache in this case, and so
>> the builtin logic takes over.
>>
>> Patches welcome.
>
> I think that what's required is an authorization check callback, which
> would be somethink like cut and paste from check_user_access() in
> modules/aaa/mod_auth.c.
This seems to work for me (although you might want to have a
configuration item which toggles between HTTP_FORBIDDEN and
HTTP_UNAUTHORIZED, so that the current fallthrough behaviour is
available, if desired):
diff -Nur -x '*.orig' -x '*.rej' mod_auth_tkt-2.0.0rc3/src/mod_auth_tkt.c
mezzanine_patched_mod_auth_tkt-2.0.0rc3/src/mod_auth_tkt.c
--- mod_auth_tkt-2.0.0rc3/src/mod_auth_tkt.c 2008-03-03 17:04:55.000000000
-0500
+++ mezzanine_patched_mod_auth_tkt-2.0.0rc3/src/mod_auth_tkt.c 2008-10-27
10:40:16.170695000 -0400
@@ -1368,6 +1368,58 @@
return OK;
}
+static int check_user_access(request_rec *r)
+{
+ char *user = r->user;
+ int m = r->method_number;
+ register int x;
+ const char *t, *w;
+ apr_table_t *grpstatus;
+ const apr_array_header_t *reqs_arr = ap_requires(r);
+ require_line *reqs;
+
+ /* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive,
+ * * then any user will do.
+ * */
+ if (!reqs_arr) {
+ return OK;
+ }
+ reqs = (require_line *)reqs_arr->elts;
+
+ grpstatus = NULL;
+
+ for (x = 0; x < reqs_arr->nelts; x++) {
+
+ if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
+ continue;
+ }
+
+ t = reqs[x].requirement;
+ w = ap_getword_white(r->pool, &t);
+ if (!strcmp(w, "valid-user")) {
+ return OK;
+ }
+ if (!strcmp(w, "user")) {
+ while (t[0]) {
+ w = ap_getword_conf(r->pool, &t);
+ if (!strcmp(user, w)) {
+ return OK;
+ }
+ }
+ }
+ else if (!strcmp(w, "group")) {
+ return DECLINED; /* require group not supported */
+ }
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "access to %s failed, reason: user %s not allowed access",
+ r->uri, user);
+
+ ap_note_basic_auth_failure(r);
+ return HTTP_FORBIDDEN;
+}
+
/* ----------------------------------------------------------------------- */
/* Setup main module data structure */
@@ -1385,7 +1437,7 @@
NULL, /* handlers */
NULL, /* filename translation */
auth_tkt_check, /* check user_id */
- NULL, /* check auth */
+ check_user_access, /* check auth */
NULL, /* check access */
NULL, /* type_checker */
NULL, /* fixups */
@@ -1405,6 +1457,7 @@
{
ap_hook_post_config(auth_tkt_version, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id(auth_tkt_check, NULL, NULL, APR_HOOK_FIRST);
+ ap_hook_auth_checker(check_user_access,NULL,NULL, APR_HOOK_FIRST);
}
/* Declare and populate the main module data structure */
Tested only with apache 1.3.x so far.
------------------------------
Message: 8
Date: Tue, 28 Oct 2008 11:16:18 +0000
From: M?rio Lopes <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Redirects..
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
Ok, I've changed the TktAuthTimeout to 7d and then to 100h and it's
still entering onto a redirect loop. Any thoughts?
Thanks in advance,
M?rio
On Oct 21, 2008, at 11:52 PM, Gavin Carr wrote:
> On Tue, Oct 21, 2008 at 11:34:34AM -0500, Peter Karman wrote:
>> M??rio Lopes wrote on 10/21/2008 06:34 AM:
>>> On Oct 14, 2008, at 1:48 AM, Peter Karman wrote:
>>>
>>>> M??rio Lopes wrote on 10/13/08 11:01 AM:
>>>>> Hi,
>>>>>
>>>>> I've set up modauth-tkt with a login domain (intra.website.com)
>>>>> and
>>>>> several subdomains (svn.intra.website.com, etc..). The
>>>>> TKTAuthDomain
>>>>> is set to .intra.website.com and the cookie is being properly set.
>>>>> But
>>>>> when it times out, it enters on a redirect loop. I have to
>>>>> manually
>>>>> delete the auth-tkt cookie so it asks for login again.
>>>>>
>>>>> Any ideas on what could be the cause for such behavior?
>>>>>
>>>> without seeing your apache config, it's anyone's guess.
>>>
>>> You're right.
>>>
>>> This is the apache config file for the login domain:
>>
>>> TKTAuthTimeout 0
>>
>>
>>> TKTAuthTimeout 0
>>
>> Not sure if its the culprit (I doubt it in fact), but I find those
>> timeout values suspicious. Maybe set them for a week or two instead
>> of
>> turning it off, and/or use TKTAuthTimeoutRefresh
>
> My suspicion would be the same as Peter's - since "TktAuthTimeout 0"
> allows
> replay attacks, it probably hasn't been tested much.
>
> Try setting the timeout to 5m and see if everything works correctly
> after
> the ticket has timed out (i.e. do you still get redirect loops then,
> or not?).
>
> If not, then reconfirm it's still happening with "TKTAuthTimeout 0"
> and
> post back here, and we'll investigate.
>
> Cheers,
> Gavin
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> modauthtkt-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
------------------------------
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
------------------------------
_______________________________________________
modauthtkt-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 20, Issue 2
***********************************************
