modauthtkt-users Digest, Vol 31, Issue 1

[modauthtkt-users-request]

Send modauthtkt-users mailing list submissions to
        modauthtkt-users@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
        modauthtkt-users-requ...@lists.sourceforge.net

You can reach the person managing the list at
        modauthtkt-users-ow...@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."


Today's Topics:

   1. Re: ticket time out and http post handling (Peter Karman)
   2. Apache config : configuration options in  subdirectories
      (Jan Smets)
   3. mod_auth_tkt with multiple subdomains and RPC     requests
      (Edward McLain)
   4. Re: mod_auth_tkt with multiple subdomains and RPC requests
      (Gavin Carr)


----------------------------------------------------------------------

Message: 1
Date: Tue, 21 Oct 2014 09:44:10 -0500
From: Peter Karman <pe...@peknet.com>
Subject: Re: [modauthtkt-users] ticket time out and http post handling
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <5446713a.1090...@peknet.com>
Content-Type: text/plain; charset=ISO-8859-1

On 10/20/14, 4:13 PM, Jan Smets wrote:
> The problem with that is that I don't have a good control over
> expired accounts. In theory a user could tamper with the cookie and
> keep on refreshing his ticket, and so keep his account valid
> indefinitely.
> 
> Yes, I know it's unlikely to happen, but you never know ...
> 

I don't think it's possible for that to happen.

The ticket digest is calculated using the timestamp of the ticket
itself, not the cookie expiration timestamp. So if you mess with the
timestamp of the ticket itself, it should invalidate the digest,
rendering the whole ticket invalid.

> How do I efficiently check for expired accounts or for changed roles?
> At some point I would like the user to pass through the ticketing
> application to 'refresh' it's permissions, etc ...  and I kind of
> force that by setting TKTAuthTimeoutRefresh to 0.
> 

Here's what I do, all on the client side with JS.

If I have a form or other POST-oriented interface, I intercept the POST
and check the validity of the ticket (which really can be abbreviated,
if the cookie expire is synced with the ticket's expire, to checking for
a cookie).

If it is not, I present the user with another XHR-based login panel so
they can re-create their ticket, before continuing with the POST.

e.g.
https://github.com/publicinsightnetwork/audience-insight-repository/blob/master/public_html/js/util/ajaxlogin.js


-- 
Peter Karman  .  http://peknet.com/  .  pe...@peknet.com



------------------------------

Message: 2
Date: Mon, 27 Oct 2014 14:06:15 +0100
From: Jan Smets <jan.sm...@alcatel-lucent.com>
Subject: [modauthtkt-users] Apache config : configuration options in
        subdirectories
To: <modauthtkt-users@lists.sourceforge.net>
Message-ID: <544e4347.4030...@alcatel-lucent.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed

Hi!

I tried following apache configuration:

<VirtualHost...>
         ....
         <Directory "/var/www/html">
                 AuthType None
                 require valid-user

                 TKTAuthLoginURL https://...
                 TKTAuthTimeout 4h
                 TKTAuthTimeoutRefresh 0
                 TKTAuthTimeoutURL https://...
                 TKTAuthPostTimeoutURL https://...
                 TKTAuthUnauthURL https://...

                 TKTAuthCookieExpires 1w
                 TKTAuthIgnoreIP on
                 TKTAuthRequireSSL on
                 TKTAuthCookieSecure on

                 TKTAuthDomain my.domain
                 TKTAuthCookieName "auth_cookie"
                 TKTAuthBackCookieName "auth_cookie_back"

                 # everyone with a valid account
                 TKTAuthToken unexpired

                 Order allow,deny
                 Allow from all
         </Directory>

         <Directory "/var/www/html/admin">
                 TKTAuthToken admin
         </Directory>
...


I noticed that some variables are 'inherited' into the subdirectory, but 
some are not. Like TKTAuthCookieName for example.
Is that intentional or a bug in the module?

Thanks!

- Jan






------------------------------

Message: 3
Date: Wed, 31 Dec 2014 13:55:26 -0600
From: Edward McLain <e...@edmclain.com>
Subject: [modauthtkt-users] mod_auth_tkt with multiple subdomains and
        RPC     requests
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <212aa12f-606c-40c4-8be6-76250a131...@edmclain.com>
Content-Type: text/plain; charset="utf-8"

So here is my situation.  I am setting up graphite with grafana and I want to 
protect them both (and several other subdomain sites) using password based auth 
to an ldap data source.  For the record, I have everything working without 
password based auth perfectly!  My current objective is to get mod_auth_tkt 
setup and working in a basic fashion using an htpasswd file before I start 
tackling the ldap side of things.  At current, auth works and I can see my site 
and my cookie is getting set - joy!  However, where I still have one major 
issue is when grafana makes a call to graphite to draw the graphs - using an 
HTTP POST btw - the cookie is not getting sent through and thus in the 
background apache is doing a redirect to the login.cgi.  Now, if I open another 
tab in the same browser and navigate to the same URL the page pulls up just 
fine.  I have apache set to set the header ?Access-Control-Allow-Origin: *? for 
testing and can verify it is being sent ( that was my first major hurdle ).

Any thoughts on how I can get this work?

Data:
* mod_auth_tkt v2.1.0 (modified to work with apache 2.4)
* Apache 2.4.10
* Graphite is setup as wsgi under a virtual host

AuthTKT Configuration:
TKTAuthDigestType MD5
SetEnv MOD_AUTH_TKT_CONF "/etc/httpd/conf.d/auth_tkt_cgi.conf"
<Directory /var/www/fake>
  AuthType None
  require valid-user
  TKTAuthLoginURL https://spsso.mydomain.com/auth/login.cgi
  # If an internet server, you probably want the following on (at least 
initially)
  TKTAuthIgnoreIP on
  # If you just want *optional* authentication, so that casual users and robots
  # can still access some content, uncomment the following
</Directory>
Alias /auth /var/www/auth
<Directory /var/www/auth>
  Order deny,allow
  Allow from all
  <FilesMatch "\.cgi$">
    SetHandler perl-script
    PerlResponseHandler ModPerl::Registry
    PerlOptions +ParseHeaders
    Options +ExecCGI
  </FilesMatch>
  <FilesMatch "\.pm$">
    Deny from all
  </FilesMatch>
</Directory>
<Location /auth>
  Order deny,allow
  Allow from all
</Location>

Per virtual host config:
       <Location />
               AuthType None
               require valid-user
               TKTAuthLoginURL http://spsso.mydomain.com/auth/autologin.cgi
               TKTAuthIgnoreIP on
               TKTAuthTimeout 1h
               TKTAuthCookieExpires 1h
               TKTAuthCookieName auth_tkt
               TKTAuthDomain .mydomain.com
       </Location>


--
Ed McLain
e...@edmclain.com




-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 4
Date: Thu, 1 Jan 2015 20:03:50 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] mod_auth_tkt with multiple subdomains
        and RPC requests
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20150101090345.gb13...@openfusion.com.au>
Content-Type: text/plain; charset=utf-8

Hi Ed,

If you can see that the graphite server isn't receiving the auth tkt
cookie then that's your core problem - you'll have to figure out how to
get grafana to pass on the cookie on its request. Sounds like a
question for the grafana guys? 

An uglyish workaround might be to fallback to ip-authorization for the
grafana ip on the graphite server i.e. avoiding using mod_auth_tkt for
the grafana requests.

Cheers,
Gavin



On Wed, Dec 31, 2014 at 01:55:26PM -0600, Edward McLain wrote:
> So here is my situation.  I am setting up graphite with grafana and I want to 
> protect them both (and several other subdomain sites) using password based 
> auth to an ldap data source.  For the record, I have everything working 
> without password based auth perfectly!  My current objective is to get 
> mod_auth_tkt setup and working in a basic fashion using an htpasswd file 
> before I start tackling the ldap side of things.  At current, auth works and 
> I can see my site and my cookie is getting set - joy!  However, where I still 
> have one major issue is when grafana makes a call to graphite to draw the 
> graphs - using an HTTP POST btw - the cookie is not getting sent through and 
> thus in the background apache is doing a redirect to the login.cgi.  Now, if 
> I open another tab in the same browser and navigate to the same URL the page 
> pulls up just fine.  I have apache set to set the header 
> ?Access-Control-Allow-Origin: *? for testing and can verify it is being sent 
> ( that was my first major hurdle 
 ).
> 
> Any thoughts on how I can get this work?
> 
> Data:
> * mod_auth_tkt v2.1.0 (modified to work with apache 2.4)
> * Apache 2.4.10
> * Graphite is setup as wsgi under a virtual host
> 
> AuthTKT Configuration:
> TKTAuthDigestType MD5
> SetEnv MOD_AUTH_TKT_CONF "/etc/httpd/conf.d/auth_tkt_cgi.conf"
> <Directory /var/www/fake>
>   AuthType None
>   require valid-user
>   TKTAuthLoginURL https://spsso.mydomain.com/auth/login.cgi
>   # If an internet server, you probably want the following on (at least 
> initially)
>   TKTAuthIgnoreIP on
>   # If you just want *optional* authentication, so that casual users and 
> robots
>   # can still access some content, uncomment the following
> </Directory>
> Alias /auth /var/www/auth
> <Directory /var/www/auth>
>   Order deny,allow
>   Allow from all
>   <FilesMatch "\.cgi$">
>     SetHandler perl-script
>     PerlResponseHandler ModPerl::Registry
>     PerlOptions +ParseHeaders
>     Options +ExecCGI
>   </FilesMatch>
>   <FilesMatch "\.pm$">
>     Deny from all
>   </FilesMatch>
> </Directory>
> <Location /auth>
>   Order deny,allow
>   Allow from all
> </Location>
> 
> Per virtual host config:
>        <Location />
>                AuthType None
>                require valid-user
>                TKTAuthLoginURL http://spsso.mydomain.com/auth/autologin.cgi
>                TKTAuthIgnoreIP on
>                TKTAuthTimeout 1h
>                TKTAuthCookieExpires 1h
>                TKTAuthCookieName auth_tkt
>                TKTAuthDomain .mydomain.com
>        </Location>
> 
> 
> --
> Ed McLain
> e...@edmclain.com
> 
> 
> 
> 

> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net

> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users




------------------------------

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net

------------------------------

_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users


End of modauthtkt-users Digest, Vol 31, Issue 1
***********************************************