SPNEGO APIs and Apache modules

Nebergall, Christopher cneberg at sandia.gov
Thu Sep 4 14:39:36 EDT 2003


If you hammer on a page with Internet Explorer it will send what MIT
Kerberos considers replays of the gss-init-sec-context tokens.  So in order
to get around this you either need to always use SSL and disable the replay
cache on the server, (Which unless the api has changed in recent versions of
MIT Kerberos there is no api to do this), or it might also work to tweak
MIT's replay cache to include sequence numbers. (MS seems to pick a random
number for their initial sequence number, and these seem to change with each
request.)

-Christopher Nebergall

-----Original Message-----
From: Frank Balluffi
To: kerberos at MIT.EDU; krbdev at MIT.EDU
Sent: 9/3/2003 8:18 PM
Subject: SPNEGO APIs and Apache modules

Markus Moeller and I have made SPNEGO C APIs and Apache modules
available at 
https://sourceforge.net/projects/modgssapache/. The project contains
three 
packages:

fbopenssl
mod_spnego
modgssapache

fbopenssl (for lack of a better name) is a library of extensions to
OpenSSL, 
including APIs for GSS-API and SPNEGO ASN.1 messages (or PDUs).
fbopenssl 
has been tested on Linux, Microsoft Windows and Sun Solaris. fbopenssl
still 
needs to be tested for memory leaks using a tool like Purify.

mod_spnego is an Apache 2.0 SPNEGO module that supports Kerberos 
authentication and user-level authorization. mod_spnego uses fbopenssl,
MIT 
GSS-API and OpenSSL. mod_spnego has been tested on Linux, Microsoft
Windows 
and Sun Solaris using Microsoft Internet Explorer 6.0. Currently,
mod_spnego 
does not support Apache 1.3 and group-level authorization.

modgssapache is a modified version of the Apache 1.3 GSS-API module
located 
at http://meta.cesnet.cz/software/heimdal/negotiate.en.html. This
version 
has been modified to support SPNEGO using open-source SPNEGO APIs from 
Microsoft. modgssapache has been tested on Linux and Sun Solaris.

Frank

_________________________________________________________________
Get 10MB of e-mail storage! Sign up for Hotmail Extra Storage. 
http://join.msn.com/?PAGE=features/es

_______________________________________________
krbdev mailing list             krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev



More information about the Kerberos mailing list