Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: Redirects.. (M?rio Lopes)
2. invalid chars in tokens (Peter Karman)
3. Re: invalid chars in tokens (Gavin Carr)
4. Re: invalid chars in tokens (Peter Karman)
5. Re: invalid chars in tokens (Steven Bakker)
6. Re: Redirects.. (M?rio Lopes)
7. Re: Redirects.. (Peter Karman)
----------------------------------------------------------------------
Message: 1
Date: Tue, 28 Oct 2008 11:16:18 +0000
From: M?rio Lopes <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Redirects..
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
Ok, I've changed the TktAuthTimeout to 7d and then to 100h and it's
still entering onto a redirect loop. Any thoughts?
Thanks in advance,
M?rio
On Oct 21, 2008, at 11:52 PM, Gavin Carr wrote:
> On Tue, Oct 21, 2008 at 11:34:34AM -0500, Peter Karman wrote:
>> M??rio Lopes wrote on 10/21/2008 06:34 AM:
>>> On Oct 14, 2008, at 1:48 AM, Peter Karman wrote:
>>>
>>>> M??rio Lopes wrote on 10/13/08 11:01 AM:
>>>>> Hi,
>>>>>
>>>>> I've set up modauth-tkt with a login domain (intra.website.com)
>>>>> and
>>>>> several subdomains (svn.intra.website.com, etc..). The
>>>>> TKTAuthDomain
>>>>> is set to .intra.website.com and the cookie is being properly set.
>>>>> But
>>>>> when it times out, it enters on a redirect loop. I have to
>>>>> manually
>>>>> delete the auth-tkt cookie so it asks for login again.
>>>>>
>>>>> Any ideas on what could be the cause for such behavior?
>>>>>
>>>> without seeing your apache config, it's anyone's guess.
>>>
>>> You're right.
>>>
>>> This is the apache config file for the login domain:
>>
>>> TKTAuthTimeout 0
>>
>>
>>> TKTAuthTimeout 0
>>
>> Not sure if its the culprit (I doubt it in fact), but I find those
>> timeout values suspicious. Maybe set them for a week or two instead
>> of
>> turning it off, and/or use TKTAuthTimeoutRefresh
>
> My suspicion would be the same as Peter's - since "TktAuthTimeout 0"
> allows
> replay attacks, it probably hasn't been tested much.
>
> Try setting the timeout to 5m and see if everything works correctly
> after
> the ticket has timed out (i.e. do you still get redirect loops then,
> or not?).
>
> If not, then reconfirm it's still happening with "TKTAuthTimeout 0"
> and
> post back here, and we'll investigate.
>
> Cheers,
> Gavin
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
------------------------------
Message: 2
Date: Mon, 03 Nov 2008 11:38:04 -0600
From: Peter Karman <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] invalid chars in tokens
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
I ran across an issue this morning where tickets were not being
generated because I had a token that used an email address. I tracked it
down to a check in Apache::AuthTkt that screens for invalid chars.
In the short term, I removed the '@' from the blacklist of chars, but I
wanted to know (a) if I've introduced another bug (or worse, a security
hole) and (b) why the invalid char check exists in the first place.
--- Apache/AuthTkt.pm (revision 527)
+++ Apache/AuthTkt.pm (working copy)
@@ -201,7 +201,7 @@
$self->errstr("invalid ip_addr '$arg{ip_addr}'");
return undef;
}
- if ($arg{tokens} =~ m/[EMAIL PROTECTED]&*\];\s]/) {
+ if ($arg{tokens} =~ m/[!#\$%^&*\];\s]/) {
$self->errstr("invalid chars in tokens '$arg{tokens}'");
return undef;
}
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
Message: 3
Date: Fri, 7 Nov 2008 12:35:40 +1100
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] invalid chars in tokens
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Hi Peter,
On Mon, Nov 03, 2008 at 11:38:04AM -0600, Peter Karman wrote:
> I ran across an issue this morning where tickets were not being
> generated because I had a token that used an email address. I tracked it
> down to a check in Apache::AuthTkt that screens for invalid chars.
>
> In the short term, I removed the '@' from the blacklist of chars, but I
> wanted to know (a) if I've introduced another bug (or worse, a security
> hole) and (b) why the invalid char check exists in the first place.
>From memory the intention was to just have tokens be simple identifiers
to avoid having to worry about any escaping issues, and because I wasn't
sure we needed anything more.
Why are you using an email address as a token, if you don't mind me asking?
FWIW, off the top of my head I can't see your allowing '@' would break
anything or be a security issue though.
Cheers,
Gavin
------------------------------
Message: 4
Date: Thu, 06 Nov 2008 20:25:56 -0600
From: Peter Karman <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] invalid chars in tokens
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
Gavin Carr wrote on 11/6/08 7:35 PM:
> Hi Peter,
>
> On Mon, Nov 03, 2008 at 11:38:04AM -0600, Peter Karman wrote:
>> I ran across an issue this morning where tickets were not being
>> generated because I had a token that used an email address. I tracked it
>> down to a check in Apache::AuthTkt that screens for invalid chars.
>>
>> In the short term, I removed the '@' from the blacklist of chars, but I
>> wanted to know (a) if I've introduced another bug (or worse, a security
>> hole) and (b) why the invalid char check exists in the first place.
>
>>From memory the intention was to just have tokens be simple identifiers
> to avoid having to worry about any escaping issues, and because I wasn't
> sure we needed anything more.
>
> Why are you using an email address as a token, if you don't mind me asking?
>
I do this:
tokens => join( ',', 'user:' . $username, get_user_groups($username) ),
which lets me do this in my config:
TKTAuthToken foo bar user:joe
to make it easy to mix user names and group names both for authorization. I know
I could use apache's "require user" (or whatever that config is) but
TKTAuthToken is nice because it keeps all the authz under a single config name.
So I have just started using email addresses as usernames in a particular app,
and that's when I discovered that the '@' was causing the ticket creation to
break.
> FWIW, off the top of my head I can't see your allowing '@' would break
> anything or be a security issue though.
cool. thanks. maybe consider removing the '@' in a future CPAN release?
--
Peter Karman . http://peknet.com/ . [EMAIL PROTECTED]
------------------------------
Message: 5
Date: Mon, 10 Nov 2008 09:12:09 +0100
From: Steven Bakker <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] invalid chars in tokens
To: Gavin Carr <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain
On Fri, 2008-11-07 at 12:35 +1100, Gavin Carr wrote:
> From memory the intention was to just have tokens be simple identifiers
> to avoid having to worry about any escaping issues, and because I wasn't
> sure we needed anything more.
But wouldn't it be better to change the test then?
$arg{tokens} =~ m/[^\w+]/
Or:
$arg{tokens} =~ m/\W/
This might catch some >0177 characters as well (mind you, it would only
allow [a-z], [A-Z], [0-9] and "_", but then, that's what an identifier
is usually defined as, right?).
If you want to include "identifier" characters and a few more, you could
use the first test above and write:
$arg{tokens} =~ m/[EMAIL PROTECTED]/
Cheers,
Steven
------------------------------
Message: 6
Date: Fri, 28 Nov 2008 11:10:12 +0000
From: M?rio Lopes <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Redirects..
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
Ok, I think I figured out where the bug is coming from. The cookie
isn't being set with an expiration date and it should match the
AuthTimeout (now set to 600m), no? Any ideas why?
Thanks in advance.
M?rio
On Oct 21, 2008, at 12:34 PM, M?rio Lopes wrote:
>
> On Oct 14, 2008, at 1:48 AM, Peter Karman wrote:
>
>> M?rio Lopes wrote on 10/13/08 11:01 AM:
>>> Hi,
>>>
>>> I've set up modauth-tkt with a login domain (intra.website.com) and
>>> several subdomains (svn.intra.website.com, etc..). The TKTAuthDomain
>>> is set to .intra.website.com and the cookie is being properly set.
>>> But
>>> when it times out, it enters on a redirect loop. I have to manually
>>> delete the auth-tkt cookie so it asks for login again.
>>>
>>> Any ideas on what could be the cause for such behavior?
>>>
>>
>> without seeing your apache config, it's anyone's guess.
>
> You're right.
>
> This is the apache config file for the login domain:
>
> <VirtualHost intra.website.com:80>
> ServerName intra.website.com
> DocumentRoot /var/www/intra-login
> LogLevel Debug
>
> Include auth_tkt.conf
>
> Alias /login "/var/www/intra-login/"
> <Location /login>
> Options +ExecCGI +FollowSymLinks -Indexes
> AddHandler cgi-script .cgi
>
> TKTAuthTimeout 0
> TKTAuthDomain .intra.website.com
> </Location>
> </VirtualHost>
>
> This is the apache config file for the other subdomains:
>
> <VirtualHost trac.intra.website.com:80>
> ServerName trac.intra.website.com
>
> Include auth_tkt.conf
>
> <Location />
> SetHandler mod_python
> PythonHandler trac.web.modpython_frontend
> PythonOption TracEnvParentDir /opt/trac
> PythonOption TracUriRoot /
> AuthType Basic
> TKTAuthLoginURL http://intra.website.com/login/autologin.cgi
> TKTAuthTimeout 0
> TKTAuthDomain .intra.website.com
> require valid-user
> </Location>
> </VirtualHost>
>
> It works fine for a couple of hours and then it starts bouncing
> around between the login domain and the referrer domain.
>
> Any ideas?
>
> Much appreciated.
>
> M?rio
------------------------------
Message: 7
Date: Tue, 02 Dec 2008 20:20:31 -0600
From: Peter Karman <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Redirects..
To: M?rio Lopes <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
M?rio Lopes wrote on 11/28/08 5:10 AM:
> Ok, I think I figured out where the bug is coming from. The cookie
> isn't being set with an expiration date and it should match the
> AuthTimeout (now set to 600m), no? Any ideas why?
>
>> TKTAuthLoginURL http://intra.website.com/login/autologin.cgi
>> TKTAuthTimeout 0
what does autologin.cgi look like? I suspect your answer lies there.
--
Peter Karman . http://peknet.com/ . [EMAIL PROTECTED]
------------------------------
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 21, Issue 1
***********************************************
