[unisog] Centralized auth for web servers
docbook.xml at gmail.com
Mon Jul 24 21:42:26 GMT 2006
I don't understand your question. How can comprising a service that is
partipitating in Kerberized environment allow a miscreant to snag
passwords. In a "true" a kerberos environment the credentials
(username/password) are never passed to a service, only tickets are.
for a description of kerberos works.
If your web servers are using SPNEGO, then a miscreant should never be
able snag your passwords from the webservers.
Or are you using MS Active Directory as a LDAP server, and not a true kerberos?
On 7/24/06, James J. Barlow <jbarlow at ncsa.uiuc.edu> wrote:
> Was wondering if anyone else has any experience in a centralized web
> authentication application? We seem to have more and more servers
> being set up at our site that accept kerberos passwords (which authenticate
> against our centralized kerberos servers), and it's making me a bit
> nervous. I'm worried about one of those servers getting compromised
> and then a miscreant could snag lots of peoples kerberos passwords.
> I'd like a solution where the different web servers could use one server
> for authentication (which would then be centrally managed), and then
> use that authenticaton token/cookie, or whatever, for access to their pages.
> We have looked at Bluestem (https://www-s.uiuc.edu/bluestem/notes/overview.html)
> and was wondering what other sites may be using. TIA.
> James J. Barlow <jbarlow at ncsa.uiuc.edu>
> Head of Security Operations and Incident Response
> National Center for Supercomputing Applications Voice : (217)244-6403
> 1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601
> http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987
> unisog mailing list
> unisog at lists.sans.org
Saqib Ali, CISSP, ISSAP
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
More information about the unisog