mod auth pubtkt
play

mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel - PowerPoint PPT Presentation

Jan 07, 2024 •23 likes •243 views

mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG mkasper@monzoon.net The login hell mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008 Solutions use client

  1. mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG mkasper@monzoon.net

  2. The login hell mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  3. Solutions • use client certificates and OCSP – and get killed by end users? – still only AuthN, no (centralized) AuthZ • use LDAP – users still need to log in for each server → not SSO • SPNEGO/GSSAPI/Kerberos/NTLM – Integrated Windows Authentication → MS centric – not supported by all browsers mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  4. Solutions • Shibboleth – very powerful... and very bloated • Pubcookie – basically a nice solution (a bit complicated to set up) – no AuthZ • CoSign – promising, but still a bit too complicated – service web servers communicate with login server mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  5. Solutions • use a commercial solution – not our goal mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  6. There’s one more... • mod_auth_tkt – operates on simple “ticket” cookies – open login server implementation (example CGI script + library provided) – flexible and quite easy to use – uses keyed MD5 to authenticate tickets mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  7. Enter mod_auth_pubtkt • mod_auth_pubtkt – based (loosely) on mod_auth_tkt – uses public-key cryptography instead of MD5 – DSA and RSA supported – private key only known to login server mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  8. How it works Web server Login server Client foo.example.com sso.example.com Initial request Redir to login server Login request (user/pass) authenticate Redirect to web server + Request + check cookie Response domain cookie *.example.com ... mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  9. Anatomy of a ticket uid=mkasper;cip=192.168.200.163;validuntil=1201383542; tokens=foo,bar;udata=mydata;sig=MC0CFDkCxODPml+cEvAuO +o5w7jcvv/UAhUAg/Z2vSIjpRhIDhvu7UXQLuQwSCF= expiration date (UNIX timestamp) client IP address (optional) user ID (REMOTE_USER environment variable) mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  10. Anatomy of a ticket uid=mkasper;cip=192.168.200.163;validuntil=1201383542; tokens=foo,bar;udata=mydata;sig=MC0CFDkCxODPml+cEvAuO +o5w7jcvv/UAhUAg/Z2vSIjpRhIDhvu7UXQLuQwSCF= user data (optional) Tokens (think of groups) mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  11. Anatomy of a ticket uid=mkasper;cip=192.168.200.163;validuntil=1201383542; tokens=foo,bar;udata=mydata;sig=MC0CFDkCxODPml+cEvAuO +o5w7jcvv/UAhUAg/Z2vSIjpRhIDhvu7UXQLuQwSCF= RSA SHA1 Base64 DSA Private key mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  12. Generating the key pair DSA # openssl dsaparam -out dsaparam.pem 1024 # openssl gendsa -out privkey.pem dsaparam.pem # openssl dsa -in privkey.pem -out pubkey.pem -pubout RSA # openssl genrsa -out privkey.pem 1024 # openssl rsa -in privkey.pem -out pubkey.pem -pubout mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  13. DSA vs. RSA • it doesn’t really matter – in doubt use RSA Signature Verification size speed 64 bytes ~400/sec. DSA RSA 172 bytes ~4000/sec. * 1024-bit key/modulus, P4 2.8 GHz, size including Base64 encoding mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  14. Web server configuration LoadModule auth_pubtkt_module libexec/apache/mod_auth_pubtkt.so AddModule mod_auth_pubtkt.c # Apache 1.3 only mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  15. Web server configuration <VirtualHost *:80> ServerName myserver.example.com DocumentRoot /path/to/my/htdocs path to public TKTAuthPublicKey /etc/apache2/tkt_pubkey.pem key file <Directory /path/to/my/htdocs> redirection URLs (for Order Allow,Deny unauthenticated clients etc.) Allow from all AuthType Basic TKTAuthLoginURL https://sso.example.com/login TKTAuthTimeoutURL https://sso.example.com/login?timeout=1 TKTAuthUnauthURL https://sso.example.com/login?unauth=1 TKTAuthToken "myserver" require valid-user </Directory> (optional) tokens required in ticket </VirtualHost> mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  16. Windows version • pre-compiled binaries available – painstakingly compiled by me... ;) mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  17. Login server • simple PHP library (and example login script) provided – function pubtkt_generate($privkeyfile, $privkeytype, $uid, $clientip, $validuntil, $tokens, $udata) • easy to implement in any language that allows access to OpenSSL – even if only to the command-line openssl binary mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  18. Disadvantages of mod_auth_pubtkt • for Apache only – writing an IIS module should be feasible • current version relies on domain cookies – all web servers must be in the same domain – rogue web server could steal ticket ( → use secure cookies; embed client’s IP address in ticket) • no “ticket refreshing” – probably a bad idea from a security point of view anyway mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  19. Live demonstration mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  20. Where to get it http://neon1.net/mod_auth_pubtkt mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  21. Questions? ? http://neon1.net/mod_auth_pubtkt mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

  22. Thank you Thank you for your attention! mod_auth_pubtkt ::: Manuel Kasper, Monzoon Networks AG ::: SwiNOG 16, 14.5.2008

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MOEBIUS Mobility Management Application Niavi Stefania AUTh IT Center Liolios Nikos AUTh

MOEBIUS Mobility Management Application Niavi Stefania AUTh IT Center Liolios Nikos AUTh

MOEBIUS Mobility Management Application Niavi Stefania AUTh IT Center Liolios Nikos AUTh Department of European Educational Programmes 1 Moebius - AUTh, Greece Main challenges of mobility management 1. Large volume of bilateral agreements

483 views • 30 slides
O H! H! Auth th Implementation pitfalls &amp; the auth providers who have fell in it

O H! H! Auth th Implementation pitfalls &amp; the auth providers who have fell in it

H! H! O H! H! Auth th Implementation pitfalls &amp; the auth providers who have fell in it @samitanwer1 samit.anwer@gmail.com C: C:\&gt;whoami Samit Anwer Product Security Team @Citrix Web/Mobile App Security Enthusiast

724 views • 58 slides
Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and

Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and

CSS441 Introduction Functions Auth. with Encryption Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

673 views • 21 slides
Turning AUTh into e-University Pinelopi Giovanitsa, Academic Support IT Center introduction 2

Turning AUTh into e-University Pinelopi Giovanitsa, Academic Support IT Center introduction 2

Turning AUTh into e-University Pinelopi Giovanitsa, Academic Support IT Center introduction 2 learning management systems in AUTh centra eClass blackboard moodle 3 timeline of transition September 2014 March 2014 eLearning on

526 views • 16 slides
Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications Injection, broken authentication , XSS, CSRF, etc. Checklist of 23 Node.js security best practices Auth: Authentication, authorization, and

336 views • 30 slides
General LTL Specification Mining Caroline Lemieux , Dennis Park and Ivan Beschastnikh University

General LTL Specification Mining Caroline Lemieux , Dennis Park and Ivan Beschastnikh University

login attempt auth failed login attempt guest login login attempt authorized Texada auth failed login attempt G( x XF y ) login attempt G( guest login XF authorized ) guest login authorized auth failed login attempt Authorized

1.11k views • 59 slides
Let us l s lea ead d you ou t to a an AUTH THENT NTIC TE TEXAS RA RANC NCH E EXPERI

Let us l s lea ead d you ou t to a an AUTH THENT NTIC TE TEXAS RA RANC NCH E EXPERI

Let us l s lea ead d you ou t to a an AUTH THENT NTIC TE TEXAS RA RANC NCH E EXPERI RIENC NCE!!! JUST ST 2 25 MINU INUTES f fro rom DO DOWNTOWN SA SAN ANTONI NIO Guests Choose fro rom one of our r thre ree Uniq ique

187 views • 16 slides
Scientific Program HMC2016 4th Historic Mortars Conference Organizing Committee Papayianni

Scientific Program HMC2016 4th Historic Mortars Conference Organizing Committee Papayianni

HMC2016 4th Historic Mortars Conference Scientific Program HMC2016 4th Historic Mortars Conference Organizing Committee Papayianni Ioanna Professor AUTH Stefanidou Maria Associate Professor AUTH Palyvou Clairy Emeritus Professor AUTH Pachta

95 views • 5 slides
Afzaal zaal Mau auth thoor oor Mad Scientist. Travel Entrepreneur. Philanthropist Co

Afzaal zaal Mau auth thoor oor Mad Scientist. Travel Entrepreneur. Philanthropist Co

Afzaal zaal Mau auth thoor oor Mad Scientist. Travel Entrepreneur. Philanthropist Co Co-found under er - Inspi pired ed Esca capes pes Founder der - The e Philanth lanthropy y Club b London on In every rything thing I do I

326 views • 16 slides
Environmental Informatics ICT for the Environment Kostas Karatzas Informatics Applications

Environmental Informatics ICT for the Environment Kostas Karatzas Informatics Applications

Environmental Informatics ICT for the Environment Kostas Karatzas Informatics Applications and Systems Group Dept. of Mechanical E ngineering Aristotle University of Thessaloniki kkara@ eng.auth.gr , http:/ / isag.meng.auth.gr

1.56k views • 107 slides
Big Data Analytics with Apache Apostolos N. Papadopoulos (Associate Prof.)

Big Data Analytics with Apache Apostolos N. Papadopoulos (Associate Prof.)

chiPSet Training School, September 2017, Novi Sad, Serbia Big Data Analytics with Apache Apostolos N. Papadopoulos (Associate Prof.) (papadopo@csd.auth.gr, http://datalab.csd.auth.gr/~apostol) Data Science &amp; Engineering Lab Department of

934 views • 81 slides
Introduction to the urban environment Kostas Karatzas Informatics A pplications and Systems

Introduction to the urban environment Kostas Karatzas Informatics A pplications and Systems

Introduction to the urban environment Kostas Karatzas Informatics A pplications and Systems Group Dept. of Mechanical E ngineering A ristotle University of Thessalonik i k k ara@ eng.auth.gr , http:/ / isag.meng.auth.gr Contents Part A:

983 views • 76 slides
An Information-Theoretic Approach to Detecting Changes in Multi-Dimensional Data Streams Auth

An Information-Theoretic Approach to Detecting Changes in Multi-Dimensional Data Streams Auth

An Information-Theoretic Approach to Detecting Changes in Multi-Dimensional Data Streams Auth thors: Presentatio ion: Dasu, T., Krishnan, S., Vincent Chu Venkatasubramanian, S., 22 November 2017 &amp; Yi, K. (2006). Content Introduction

512 views • 48 slides
An Introduction to Apostolos N. Papadopoulos (papadopo@csd.auth.gr) Assistant Professor Data

An Introduction to Apostolos N. Papadopoulos (papadopo@csd.auth.gr) Assistant Professor Data

An Introduction to Apostolos N. Papadopoulos (papadopo@csd.auth.gr) Assistant Professor Data Engineering Lab Department of Informatics Aristotle University of Thessaloniki Thessaloniki Greece 1 Outline What is Spark? Basic features

951 views • 64 slides
CMC's &amp; The FCA Jeremy Smith Director B-Compliant Ltd Do I I need to be auth thoris

CMC's &amp; The FCA Jeremy Smith Director B-Compliant Ltd Do I I need to be auth thoris

CMC's &amp; The FCA Jeremy Smith Director B-Compliant Ltd Do I I need to be auth thoris ised? CMR Regulated Seeking out persons who may have a claim Referring details of a claim or potential claim or potential claimant to another

96 views • 7 slides
Usi Using Stew tewar ardsh ship Au Auth thor ority y to Advan to Advance ce Restor

Usi Using Stew tewar ardsh ship Au Auth thor ority y to Advan to Advance ce Restor

Collaborative restoration Workshop april, 2016 Usi Using Stew tewar ardsh ship Au Auth thor ority y to Advan to Advance ce Restor Restorati tion on Rebecca B cca Barn rnar ard National Forestry Programs Manager

669 views • 21 slides
Constraint Programming 1. Introduction MapReduced 2. Related Work 3. Our Search Tree

Constraint Programming 1. Introduction MapReduced 2. Related Work 3. Our Search Tree

Constraint Programming MapReduced Nikolaos Pothitos, Panagiotis Stamatopoulos Constraint Programming 1. Introduction MapReduced 2. Related Work 3. Our Search Tree Partitioning Schema Nikolaos Pothitos Panagiotis Stamatopoulos

225 views • 20 slides
Pair Programming By Hanchao Wu Outline What is Pair Programming History Motivation

Pair Programming By Hanchao Wu Outline What is Pair Programming History Motivation

Pair Programming By Hanchao Wu Outline What is Pair Programming History Motivation Techniques Why it works Poblems Challenges When it is not working Conclusion Page Page Page Page 2 2 2

393 views • 36 slides
Django Web Framework Zhaojie Zhang CSCI5828 Class Presenta=on

Django Web Framework Zhaojie Zhang CSCI5828 Class Presenta=on

Django Web Framework Zhaojie Zhang CSCI5828 Class Presenta=on 03/20/2012 Outline Web frameworks Why python? Why Django? Introduc=on to Django An

445 views • 40 slides
Eroding the EARTH!!!!!!!!!! With Matlab!!!!! by matt hoffman It's as easy as 1.... find a cool

Eroding the EARTH!!!!!!!!!! With Matlab!!!!! by matt hoffman It's as easy as 1.... find a cool

Eroding the EARTH!!!!!!!!!! With Matlab!!!!! by matt hoffman It's as easy as 1.... find a cool spot! .....2.......... nice XYZ topographic matrix! Topographic data for ANY location on earth can be acquired from

117 views • 7 slides
Ndwakhulu Mukhufhi CEO Outline of Talk Africa Continent of Wonders (+ve &amp; ve)

Ndwakhulu Mukhufhi CEO Outline of Talk Africa Continent of Wonders (+ve &amp; ve)

Ndwakhulu Mukhufhi CEO Outline of Talk Africa Continent of Wonders (+ve &amp; ve) Challenges in Emerging Economies The Intra African System of Metrology The CIPM MRA in Africa What is Needed to grow Metrology? Africa,

513 views • 34 slides
Gambas 2.0 RC 1 Two years of development since the release of Gambas 1.0. Seven years

Gambas 2.0 RC 1 Two years of development since the release of Gambas 1.0. Seven years

G ambas A lmost M eans BAS IC ...really? Gambas 2.0 RC 1 Two years of development since the release of Gambas 1.0. Seven years since the first beginning. 400,000+ lines of code. About 350 classes. Quick introduction

480 views • 23 slides
Using SQL/MX DBS Demo using iTP webserver May 2018 Frans Jongma, Advanced Technology Center A

Using SQL/MX DBS Demo using iTP webserver May 2018 Frans Jongma, Advanced Technology Center A

Using SQL/MX DBS Demo using iTP webserver May 2018 Frans Jongma, Advanced Technology Center A guided tour through SQL/MX DBS using iTP Webserver Requirements NonStop System iTP Webserver running Firefox or Chrome browser

338 views • 22 slides
Java CPD (I) Frans Coenen Department of Computer Science Content Session 1, 12:45-14:30

Java CPD (I) Frans Coenen Department of Computer Science Content Session 1, 12:45-14:30

Java CPD (I) Frans Coenen Department of Computer Science Content Session 1, 12:45-14:30 (First Java Programme, Inheritance, Arithmetic) Session 2, 14:45-16:45 (Input and Programme Constructs) Materials at:

635 views • 60 slides

More recommend