Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
modauthtkt-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
modauthtkt-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: Redirects.. (Gavin Carr)
2. Avoiding fallback to apache basic auth ... (Laurent)
3. mod_auth_tkt md5 -> sha-1 (?) (Christian Folini)
4. Re: Redirects.. (M?rio Lopes)
5. Re: mod_auth_tkt md5 -> sha-1 (?) (Peter Karman)
6. Re: mod_auth_tkt md5 -> sha-1 (?) (Charles Bueche)
7. Re: mod_auth_tkt md5 -> sha-1 (?) (Gavin Carr)
8. Re: mod_auth_tkt md5 -> sha-1 (?) (Gavin Carr)
----------------------------------------------------------------------
Message: 1
Date: Wed, 3 Dec 2008 14:13:28 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] Redirects..
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20081203031328.gf18...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
On Fri, Nov 28, 2008 at 11:10:12AM +0000, M?rio Lopes wrote:
> Ok, I think I figured out where the bug is coming from. The cookie
> isn't being set with an expiration date and it should match the
> AuthTimeout (now set to 600m), no? Any ideas why?
Try setting TKTAuthCookieExpires to match (or slightly exceed) your
TKTAuthTimeout.
Cheers,
Gavin
------------------------------
Message: 2
Date: Sat, 03 Jan 2009 16:34:12 +0100
From: Laurent <laurent.gou...@online.fr>
Subject: [modauthtkt-users] Avoiding fallback to apache basic auth ...
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <1230996852.7178.12.ca...@gemini>
Content-Type: text/plain
In reply to a previous mail sent to this list:
On Wed, Jul 16, 2008 at 04:03:34PM -0400, Charlie Brady wrote:
>
> I have a situation where a user has a valid ticket, but they don't
satisfy
> "require user xxx" for the location they are accessing. I would like
to
> display a 403 page at that stage, but instead The browser pops up a
basic
> auth login popup.
>
> Is there a way to disable that, or to configure apache so that
doesn't
> occur?
I solved this by using "AuthType None" instead of "AuthType Basic" in my
apache configuration (in fact anything else from Basic or Digest should
work)
Hope it helps,
Cheers,
Laurent Goujon
------------------------------
Message: 3
Date: Thu, 15 Jan 2009 22:13:46 +0100
From: Christian Folini <christian.fol...@netnea.com>
Subject: [modauthtkt-users] mod_auth_tkt md5 -> sha-1 (?)
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20090115211346.ga10...@localhost.localdomain>
Content-Type: text/plain; charset=utf-8
Hello list, hey Gavin,
With md5 cracking attempts being covered on slashdot regularly,
I thougth it was only a matter of time, until the md5 vs another
hashing alorithm would pop up in this mailing list.
Now it is me, who brings it up:
- I am planning a new project for a customer who is interested
in a simple authentication scheme, that is able to work with
a heterogenous group of users and multiple user directories.
- The customers is really fond of my proposal to use mod_auth_tkt,
but he sees two show-stoppers.
- The regular: "How can we revoke active sessions?" We were able
to come up with a feasible approach here.
- "Md5 is being cracked today in lab settings. Should not we
make sure we have a system that is safe from these sort of
attacks - or at least safer then md5, now that we know its
weaknesses."
I am not a cryptographer - far from it actually. So I lack the
knowledge (or confidence) to give the customer a good feel
about this md5 thing. And if mod_auth_tkt would come with an
alternative hashing algorithm, then I would not have to worry.
So 3.5 questions:
- Is a migration feasible and if so, how much work is it?
- Is it in the planning or is there a date?
(well, I guess rather not, but maybe it's Christmas again
tomorrow)
- If it's not planned, who would be able to do it and how
much would it cost?
Cheers,
Christian Folini
P.S. The project plans to generate the shared keys anew once a
day via a cronjob and roll them out with scp.
------------------------------
Message: 4
Date: Mon, 19 Jan 2009 10:41:42 +0000
From: M?rio Lopes <mario.lo...@gmail.com>
Subject: Re: [modauthtkt-users] Redirects..
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <81bf4148-677d-40ed-af11-47fac045c...@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
On Oct 21, 2008, at 5:34 PM, Peter Karman wrote:
> M?rio Lopes wrote on 10/21/2008 06:34 AM:
>> On Oct 14, 2008, at 1:48 AM, Peter Karman wrote:
>>
>>> M?rio Lopes wrote on 10/13/08 11:01 AM:
>>>> Hi,
>>>>
>>>> I've set up modauth-tkt with a login domain (intra.website.com) and
>>>> several subdomains (svn.intra.website.com, etc..). The
>>>> TKTAuthDomain
>>>> is set to .intra.website.com and the cookie is being properly set.
>>>> But
>>>> when it times out, it enters on a redirect loop. I have to manually
>>>> delete the auth-tkt cookie so it asks for login again.
>>>>
>>>> Any ideas on what could be the cause for such behavior?
>>>>
>>> without seeing your apache config, it's anyone's guess.
>>
>> You're right.
>>
>> This is the apache config file for the login domain:
>
>> TKTAuthTimeout 0
>
>
>> TKTAuthTimeout 0
>
> Not sure if its the culprit (I doubt it in fact), but I find those
> timeout values suspicious. Maybe set them for a week or two instead of
> turning it off, and/or use TKTAuthTimeoutRefresh
Ok, I've traced down the bug. If I change IP address (I move to a
different location) before the cookie has expired, it will enter on a
redirect loop. Any ideas why?
Thanks again,
M?rio
------------------------------
Message: 5
Date: Tue, 20 Jan 2009 22:07:21 -0600
From: Peter Karman <pe...@peknet.com>
Subject: Re: [modauthtkt-users] mod_auth_tkt md5 -> sha-1 (?)
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <49769f79.1060...@peknet.com>
Content-Type: text/plain; charset=ISO-8859-1
Christian Folini wrote on 1/15/09 3:13 PM:
> - "Md5 is being cracked today in lab settings. Should not we
> make sure we have a system that is safe from these sort of
> attacks - or at least safer then md5, now that we know its
> weaknesses."
md5 is susceptible to collision lookup tables. That is, md5 hashes are
precomputed and compared against a string to find a match. It's cracking, but
it's brute force.
mod_auth_tkt follows the recommendation outlined here:
http://en.wikipedia.org/wiki/MD5
namely,
"However, if passwords are combined with a salt before the MD5 digest is
generated, rainbow tables become much less useful."
The TKTAuthSecret token is the 'salt' in this case. That's what makes
mod_auth_tkt reasonably secure to use -- as long as the salt remains a secret.
Changing it regularly is thus a good idea.
As far as using a different algorithm (e.g., SHA-1), as long as there are freely
available implementations in C and/or Perl, the existing code could be modified
pretty easily, AFAICT. But I don't really see a pressing need for the reason
above.
I'm not a cryptographer either, so I'd love to hear from someone more
authoritative than me. In the meantime, the wikipedia entry above is good
reading.
--
Peter Karman . http://peknet.com/ . pe...@peknet.com
------------------------------
Message: 6
Date: Fri, 23 Jan 2009 14:42:30 +0100
From: Charles Bueche <cbli...@bueche.ch>
Subject: Re: [modauthtkt-users] mod_auth_tkt md5 -> sha-1 (?)
To: Christian Folini <christian.fol...@netnea.com>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <8c69fb23-3d20-4de0-a707-123b189f3...@bueche.ch>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Hi Christian,
Now that I think about it and with the response of Peter, it's true
that the brute-force attack against MD5 only makes sense if the
attacker can have enough time. If you change the shared secret (used
as salt) daily, this all become a non-issue.
And BTW : SHA-1 has been brute-force attacked as well, so you should
think about one of the SHA-2 algo (eg SHA-256), see
http://en.wikipedia.org/wiki/SHA
if you use something else than MD5.
But of course, independently of the algo features, it would be nice
not to be limited to one in mod_auth_tkt. So an implementer is
welcome :-)
Regs,
Charles
P.S. and no, I'm no cryptographer at all !
On Jan 15, 2009, at 22:13, Christian Folini wrote:
> Hello list, hey Gavin,
>
> With md5 cracking attempts being covered on slashdot regularly,
> I thougth it was only a matter of time, until the md5 vs another
> hashing alorithm would pop up in this mailing list.
>
> Now it is me, who brings it up:
> - I am planning a new project for a customer who is interested
> in a simple authentication scheme, that is able to work with
> a heterogenous group of users and multiple user directories.
> - The customers is really fond of my proposal to use mod_auth_tkt,
> but he sees two show-stoppers.
> - The regular: "How can we revoke active sessions?" We were able
> to come up with a feasible approach here.
> - "Md5 is being cracked today in lab settings. Should not we
> make sure we have a system that is safe from these sort of
> attacks - or at least safer then md5, now that we know its
> weaknesses."
>
> I am not a cryptographer - far from it actually. So I lack the
> knowledge (or confidence) to give the customer a good feel
> about this md5 thing. And if mod_auth_tkt would come with an
> alternative hashing algorithm, then I would not have to worry.
>
> So 3.5 questions:
> - Is a migration feasible and if so, how much work is it?
> - Is it in the planning or is there a date?
> (well, I guess rather not, but maybe it's Christmas again
> tomorrow)
> - If it's not planned, who would be able to do it and how
> much would it cost?
>
> Cheers,
>
> Christian Folini
>
> P.S. The project plans to generate the shared keys anew once a
> day via a cronjob and roll them out with scp.
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
------------------------------
Message: 7
Date: Wed, 28 Jan 2009 10:24:39 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] mod_auth_tkt md5 -> sha-1 (?)
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20090127232439.ga32...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
On Fri, Jan 23, 2009 at 02:42:30PM +0100, Charles Bueche wrote:
> Now that I think about it and with the response of Peter, it's true
> that the brute-force attack against MD5 only makes sense if the
> attacker can have enough time. If you change the shared secret (used
> as salt) daily, this all become a non-issue.
Hmmm, I'm not sure this is an argument I'd want to make, given rainbow
tables, clusters, and Moore's Law. ;-)
Peter's point is that MD5 collision attacks rely on being able to
provide all the inputs to the MD5 calculation e.g. given a file with
a given MD5 checksum, I can come up with another file that will have
that checksum.
With mod_auth_tkt the client doesn't have all the inputs though, as
the shared secret only ever lives server-side. To put it another way,
the security of mod_auth_tkt rests primarily on the secrecy of the
key, not the security of the hashing algorithm. So changing the key
periodically is good practice.
> And BTW : SHA-1 has been brute-force attacked as well, so you should
> think about one of the SHA-2 algo (eg SHA-256), see
> http://en.wikipedia.org/wiki/SHA
> if you use something else than MD5.
>
> But of course, independently of the algo features, it would be nice
> not to be limited to one in mod_auth_tkt. So an implementer is
> welcome :-)
There's SHA-1 support in APR, so adding support for that would be
reasonably straightforward. SHA-2 or other digest algorithms would
currently require external libraries, which would be okay as
dependencies as long as their use was optional.
Patches welcome. :-)
Cheers,
Gavin
------------------------------
Message: 8
Date: Wed, 28 Jan 2009 10:28:26 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] mod_auth_tkt md5 -> sha-1 (?)
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20090127232826.gb32...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
Hi Christian,
On Thu, Jan 15, 2009 at 10:13:46PM +0100, Christian Folini wrote:
> - The regular: "How can we revoke active sessions?" We were able
> to come up with a feasible approach here.
Can you give an example of the use case you have in mind here? I'm
interested in how you'd like to use this (since I haven't had a need
for this myself yet).
Cheers,
Gavin
------------------------------
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 22, Issue 1
***********************************************
