[unisog] Centralized auth for web servers

Edgecombe, Jason jwedgeco at email.uncc.edu
Tue Jul 25 13:29:18 GMT 2006


I would recommend cas or shiboleth over modauth_kerb.

I know that with the preferred CAS setup, users only pass credentials to
the CAS servers. A service-offering web server redirects the user to the
CAS web server and the user is redirected back to the original host
after authenticating.

Sincerely,
Jason Edgecombe
TST Web Developer
Dean's Office, College of Arts & Sciences
UNC-Charlotte
Phone: (704) 687-4686 

 

> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of James J. Barlow
> Sent: Monday, July 24, 2006 6:03 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Centralized auth for web servers
> 
> On Mon, Jul 24, 2006 at 02:42:26PM -0700, Saqib Ali wrote:
> > I don't understand your question. How can comprising a 
> service that is
> > partipitating in Kerberized environment allow a miscreant to snag
> > passwords. In a "true" a kerberos environment the credentials
> > (username/password) are never  passed to a service, only 
> tickets are.
> > See:
> > http://xml-dev.com/blog/?action=viewtopic&id=21
> > for a description of kerberos works.
> > 
> > If your web servers are using SPNEGO, then a miscreant 
> should never be
> > able snag your passwords from the webservers.
> 
> Most servers are being set up with mod_auth_kerb: 
> 
>    http://modauthkerb.sourceforge.net/
> 
> The username and password is passed to the web server wich then does
> the authentication.  Definitely not a true kerberos service, but has
> been used for years to deal with browsers that do not (and 
> still do not)
> pass kerberos tickets.
> 
> 
> > Or are you using MS Active Directory as a LDAP server, and 
> not a true kerberos?
> > 
> > On 7/24/06, James J. Barlow <jbarlow at ncsa.uiuc.edu> wrote:
> > > Was wondering if anyone else has any experience in a 
> centralized web
> > > authentication application?  We seem to have more and more servers
> > > being set up at our site that accept kerberos passwords 
> (which authenticate
> > > against our centralized kerberos servers), and it's 
> making me a bit
> > > nervous.  I'm worried about one of those servers getting 
> compromised
> > > and then a miscreant could snag lots of peoples kerberos 
> passwords.
> > > I'd like a solution where the different web servers could 
> use one server
> > > for authentication (which would then be centrally 
> managed), and then
> > > use that authenticaton token/cookie, or whatever, for 
> access to their pages.
> > >
> > > We have looked at Bluestem 
> (https://www-s.uiuc.edu/bluestem/notes/overview.html)
> > > and was wondering what other sites may be using.  TIA.
> > >
> > >
> > > --
> > > James J. Barlow   <jbarlow at ncsa.uiuc.edu>
> > > Head of Security Operations and Incident Response
> > > National Center for Supercomputing Applications    Voice 
> : (217)244-6403
> > > 1205 West Clark Street, Urbana, IL  61801           Cell 
> : (217)840-0601
> > > http://www.ncsa.uiuc.edu/~jbarlow                    Fax 
> : (217)244-1987
> > > _______________________________________________
> > > unisog mailing list
> > > unisog at lists.sans.org
> > > http://www.dshield.org/mailman/listinfo/unisog
> > >
> > 
> > 
> > -- 
> > Saqib Ali, CISSP, ISSAP
> > Support http://www.capital-punishment.net
> > -----------
> > "I fear, if I rebel against my Lord, the retribution of an Awful Day
> > (The Day of Resurrection)" Al-Quran 6:15
> > -----------
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
> 
> -- 
> James J. Barlow   <jbarlow at ncsa.uiuc.edu>
> Head of Security Operations and Incident Response
> National Center for Supercomputing Applications    Voice : 
> (217)244-6403
> 1205 West Clark Street, Urbana, IL  61801           Cell : 
> (217)840-0601
> http://www.ncsa.uiuc.edu/~jbarlow                    Fax : 
> (217)244-1987
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 



More information about the unisog mailing list