[unisog] Centralized auth for web servers

James J. Barlow jbarlow at ncsa.uiuc.edu
Mon Jul 24 22:02:48 GMT 2006


On Mon, Jul 24, 2006 at 02:42:26PM -0700, Saqib Ali wrote:
> I don't understand your question. How can comprising a service that is
> partipitating in Kerberized environment allow a miscreant to snag
> passwords. In a "true" a kerberos environment the credentials
> (username/password) are never  passed to a service, only tickets are.
> See:
> http://xml-dev.com/blog/?action=viewtopic&id=21
> for a description of kerberos works.
> 
> If your web servers are using SPNEGO, then a miscreant should never be
> able snag your passwords from the webservers.

Most servers are being set up with mod_auth_kerb: 

   http://modauthkerb.sourceforge.net/

The username and password is passed to the web server wich then does
the authentication.  Definitely not a true kerberos service, but has
been used for years to deal with browsers that do not (and still do not)
pass kerberos tickets.


> Or are you using MS Active Directory as a LDAP server, and not a true kerberos?
> 
> On 7/24/06, James J. Barlow <jbarlow at ncsa.uiuc.edu> wrote:
> > Was wondering if anyone else has any experience in a centralized web
> > authentication application?  We seem to have more and more servers
> > being set up at our site that accept kerberos passwords (which authenticate
> > against our centralized kerberos servers), and it's making me a bit
> > nervous.  I'm worried about one of those servers getting compromised
> > and then a miscreant could snag lots of peoples kerberos passwords.
> > I'd like a solution where the different web servers could use one server
> > for authentication (which would then be centrally managed), and then
> > use that authenticaton token/cookie, or whatever, for access to their pages.
> >
> > We have looked at Bluestem (https://www-s.uiuc.edu/bluestem/notes/overview.html)
> > and was wondering what other sites may be using.  TIA.
> >
> >
> > --
> > James J. Barlow   <jbarlow at ncsa.uiuc.edu>
> > Head of Security Operations and Incident Response
> > National Center for Supercomputing Applications    Voice : (217)244-6403
> > 1205 West Clark Street, Urbana, IL  61801           Cell : (217)840-0601
> > http://www.ncsa.uiuc.edu/~jbarlow                    Fax : (217)244-1987
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
> >
> 
> 
> -- 
> Saqib Ali, CISSP, ISSAP
> Support http://www.capital-punishment.net
> -----------
> "I fear, if I rebel against my Lord, the retribution of an Awful Day
> (The Day of Resurrection)" Al-Quran 6:15
> -----------
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
James J. Barlow   <jbarlow at ncsa.uiuc.edu>
Head of Security Operations and Incident Response
National Center for Supercomputing Applications    Voice : (217)244-6403
1205 West Clark Street, Urbana, IL  61801           Cell : (217)840-0601
http://www.ncsa.uiuc.edu/~jbarlow                    Fax : (217)244-1987


More information about the unisog mailing list