Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
modauthtkt-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
modauthtkt-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Revoking active sessions (was: Re: mod_auth_tkt md5 -> sha-1
(?)) (Christian Folini)
2. Fake protected directory? (Nikolaus Rath)
3. Re: Fake protected directory? (Gavin Carr)
4. Re: Fake protected directory? (Nikolaus Rath)
5. Re: Fake protected directory? (Gavin Carr)
6. ANNOUNCE: mod_auth_tkt 2.0.0rc4 (Gavin Carr)
7. Re: ANNOUNCE: mod_auth_tkt 2.0.0rc4 (Michael Peters)
8. Re: ANNOUNCE: mod_auth_tkt 2.0.0rc4 (Nikolaus Rath)
9. Re: ANNOUNCE: mod_auth_tkt 2.0.0rc4 (Gavin Carr)
----------------------------------------------------------------------
Message: 1
Date: Wed, 28 Jan 2009 07:22:59 +0100
From: Christian Folini <christian.fol...@time-machine.ch>
Subject: [modauthtkt-users] Revoking active sessions (was: Re:
mod_auth_tkt md5 -> sha-1 (?))
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20090128062259.gb7...@localhost.localdomain>
Content-Type: text/plain; charset=utf-8
Hello Gavin,
Thanks for responding. I am glad you findtimeto participate in
this discussion.
On Wed, Jan 28, 2009 at 10:28:26AM +1100, Gavin Carr wrote:
> On Thu, Jan 15, 2009 at 10:13:46PM +0100, Christian Folini wrote:
> > - The regular: "How can we revoke active sessions?" We were able
> > to come up with a feasible approach here.
>
> Can you give an example of the use case you have in mind here? I'm
> interested in how you'd like to use this (since I haven't had a need
> for this myself yet).
I will be blunt here: The use case are customers, who are puzzled that
you can not revoke an active session. I usually explain them, that
we are not maintaining an active session store and that in practice,
they do not need to revoke sessions. But it leaves them with a bad
taste in the mouth.
As for real world use cases: If you are actively monitoring the
transactions, you are theoretically in a position where you can
see clients misbehaving. Stopping these sessions immediately makes
sense. I believe short session timeouts are more effective,
but hey I am only setting up security measurements. I am not telling
anybody how to run their business.
best regards,
Christian Folini
--
"Innovation" is way oversold.
-- Linus Thorvalds
------------------------------
Message: 2
Date: Sun, 08 Feb 2009 20:36:09 -0500
From: Nikolaus Rath <nikol...@rath.org>
Subject: [modauthtkt-users] Fake protected directory?
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <874oz4wfw6....@nokile.rath.org>
Content-Type: text/plain; charset=utf-8
Hello,
The configuration file in the .tgz has the following section:
# Fake protected directory - used by sample CGI scripts to derive your-
# settings (set this up to mirror your real mod_auth_tkt settings)
<Directory /var/www/fake>
AuthType Basic
require valid-user
[...]
but when I grep'ed for "fake" in the provided cgi scripts, I did not
get any matches. Is this directory still required?
Best,
-Nikolaus
--
?Time flies like an arrow, fruit flies like a Banana.?
PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C
------------------------------
Message: 3
Date: Tue, 10 Feb 2009 20:31:30 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] Fake protected directory?
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20090210093129.ga4...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
Hi Nikolaus,
On Sun, Feb 08, 2009 at 08:36:09PM -0500, Nikolaus Rath wrote:
> The configuration file in the .tgz has the following section:
>
> # Fake protected directory - used by sample CGI scripts to derive your-
> # settings (set this up to mirror your real mod_auth_tkt settings)
> <Directory /var/www/fake>
> AuthType Basic
> require valid-user
> [...]
>
>
> but when I grep'ed for "fake" in the provided cgi scripts, I did not
> get any matches. Is this directory still required?
Kind of, if you use the default cgi scripts. The cgi scripts do a:
my $at = Apache::AuthTkt->new(conf => $ENV{MOD_AUTH_TKT_CONF});
which loads up your config settings from $ENV{MOD_AUTH_TKT_CONF},
which points to that default config file. You could set that
environment variable to point to another of your configs if you'd
prefer, in which case that fake directory wouldn't be required.
Cheers,
Gavin
------------------------------
Message: 4
Date: Tue, 10 Feb 2009 13:43:11 -0500
From: Nikolaus Rath <nikol...@rath.org>
Subject: Re: [modauthtkt-users] Fake protected directory?
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <871vu6uo8w....@nokile.rath.org>
Content-Type: text/plain; charset=utf-8
Hi,
Gavin Carr <ga...@openfusion.com.au> writes:
> Hi Nikolaus,
>
> On Sun, Feb 08, 2009 at 08:36:09PM -0500, Nikolaus Rath wrote:
>> The configuration file in the .tgz has the following section:
>>
>> # Fake protected directory - used by sample CGI scripts to derive your-
>> # settings (set this up to mirror your real mod_auth_tkt settings)
>> <Directory /var/www/fake>
>> AuthType Basic
>> require valid-user
>> [...]
>>
>>
>> but when I grep'ed for "fake" in the provided cgi scripts, I did not
>> get any matches. Is this directory still required?
>
> Kind of, if you use the default cgi scripts. The cgi scripts do a:
>
> my $at = Apache::AuthTkt->new(conf => $ENV{MOD_AUTH_TKT_CONF});
>
> which loads up your config settings from $ENV{MOD_AUTH_TKT_CONF},
> which points to that default config file. You could set that
> environment variable to point to another of your configs if you'd
> prefer, in which case that fake directory wouldn't be required.
I don't quite understand. So Apache::AthTkt is reading my
configuration file. But why does that mean that I have to configure a
special URL?
Or is it just that the configuration file should contain at least one
protected directory, no matter whether it's named "fake" or not?
Best,
-Nikolaus
--
?Time flies like an arrow, fruit flies like a Banana.?
PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C
------------------------------
Message: 5
Date: Wed, 11 Feb 2009 09:57:01 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] Fake protected directory?
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20090210225701.gb26...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
On Tue, Feb 10, 2009 at 01:43:11PM -0500, Nikolaus Rath wrote:
> Gavin Carr <ga...@openfusion.com.au> writes:
> > On Sun, Feb 08, 2009 at 08:36:09PM -0500, Nikolaus Rath wrote:
> >> The configuration file in the .tgz has the following section:
> >>
> >> # Fake protected directory - used by sample CGI scripts to derive your-
> >> # settings (set this up to mirror your real mod_auth_tkt settings)
> >> <Directory /var/www/fake>
> >> AuthType Basic
> >> require valid-user
> >> [...]
> >>
> >>
> >> but when I grep'ed for "fake" in the provided cgi scripts, I did not
> >> get any matches. Is this directory still required?
> >
> > Kind of, if you use the default cgi scripts. The cgi scripts do a:
> >
> > my $at = Apache::AuthTkt->new(conf => $ENV{MOD_AUTH_TKT_CONF});
> >
> > which loads up your config settings from $ENV{MOD_AUTH_TKT_CONF},
> > which points to that default config file. You could set that
> > environment variable to point to another of your configs if you'd
> > prefer, in which case that fake directory wouldn't be required.
>
> I don't quite understand. So Apache::AthTkt is reading my
> configuration file. But why does that mean that I have to configure a
> special URL?
>
> Or is it just that the configuration file should contain at least one
> protected directory, no matter whether it's named "fake" or not?
Yes, the latter.
Cheers,
Gavin
------------------------------
Message: 6
Date: Fri, 13 Feb 2009 17:06:08 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: [modauthtkt-users] ANNOUNCE: mod_auth_tkt 2.0.0rc4
To: mod_auth_tkt-users <modauthtkt-users@lists.sourceforge.net>
Message-ID: <20090213060607.ga11...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
Ok, after a good while a few things are happening on the mod_auth_tkt
front again. First up, I'm releasing a new release candidate today,
2.0.0rc4, available here:
http://www.openfusion.com.au/labs/dist/mod_auth_tkt-2.0.0rc4.tar.gz
RPMs for CentOS5 are also available from the Open Fusion repository:
http://www.openfusion.net/linux/openfusion_rpm_repository
There are only minor changes in rc4 from rc3, but I'd appreciate
testing by anyone who has time. The plan is for this to turn into
a final 2.0 release in a week or 10 days.
Second, Christian Folini of netnea.com and an unnamed Swiss bank are
sponsoring incorporating SHA1 hashing into mod_auth_tkt, as an
alternative to the existing MD5 hashing, and supporting a backup
TKTAuthSecret, to allow for smooth/seamless secret rotation. These
enhancements will be released as a new version 2.1.
Cheers,
Gavin
------------------------------
Message: 7
Date: Fri, 13 Feb 2009 08:49:16 -0500
From: Michael Peters <mpet...@plusthree.com>
Subject: Re: [modauthtkt-users] ANNOUNCE: mod_auth_tkt 2.0.0rc4
To: mod_auth_tkt-users <modauthtkt-users@lists.sourceforge.net>
Message-ID: <49957a5c.7010...@plusthree.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Gavin Carr wrote:
> and supporting a backup
> TKTAuthSecret, to allow for smooth/seamless secret rotation. These
> enhancements will be released as a new version 2.1.
I proposed this and submitted a patch back in 2006 for something very similar.
http://sourceforge.net/mailarchive/forum.php?thread_name=43B69470.3080304%40plusthree.com&forum_name=modauthtkt-users
--
Michael Peters
Plus Three, LP
------------------------------
Message: 8
Date: Fri, 13 Feb 2009 17:28:53 -0500
From: Nikolaus Rath <nikol...@rath.org>
Subject: Re: [modauthtkt-users] ANNOUNCE: mod_auth_tkt 2.0.0rc4
To: mod_auth_tkt-users <modauthtkt-users@lists.sourceforge.net>
Message-ID: <8763jermxm....@nokile.rath.org>
Content-Type: text/plain; charset=utf-8
Gavin Carr <ga...@openfusion.com.au> writes:
> Second, Christian Folini of netnea.com and an unnamed Swiss bank are
> sponsoring incorporating SHA1 hashing into mod_auth_tkt, as an
> alternative to the existing MD5 hashing, and supporting a backup
> TKTAuthSecret, to allow for smooth/seamless secret rotation. These
> enhancements will be released as a new version 2.1.
Is it also planned to introduce support for the Apache 2.2
authentication scheme, i.e. the AuthBasicProvider directive?
Best,
-Nikolaus
--
?Time flies like an arrow, fruit flies like a Banana.?
PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C
------------------------------
Message: 9
Date: Sun, 15 Feb 2009 15:34:12 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] ANNOUNCE: mod_auth_tkt 2.0.0rc4
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20090215043412.gb6...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
On Fri, Feb 13, 2009 at 08:49:16AM -0500, Michael Peters wrote:
> Gavin Carr wrote:
>
> > and supporting a backup
> > TKTAuthSecret, to allow for smooth/seamless secret rotation. These
> > enhancements will be released as a new version 2.1.
>
> I proposed this and submitted a patch back in 2006 for something very similar.
>
> http://sourceforge.net/mailarchive/forum.php?thread_name=43B69470.3080304%40plusthree.com&forum_name=modauthtkt-users
Thanks Michael, I'd forgotten about that patch. I'll check it out.
Cheers,
Gavin
------------------------------
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 23, Issue 1
***********************************************
