SPNEGO APIs and Apache modules

Markus Moeller markus_moeller at compuserve.com
Tue Sep 9 14:37:48 EDT 2003 

Christopher,

I did look into this and saw that especially if I click refresh I get replay
attack errors in the logfile and a popup window requesting authentication.

Thanks
Markus

----- Original Message ----- 
From: "Frank Balluffi" <fballuffi at hotmail.com>
To: <cneberg at sandia.gov>
Cc: <markus_moeller at compuserve.com>
Sent: Thursday, September 04, 2003 9:55 PM
Subject: RE: SPNEGO APIs and Apache modules


>
> Christopher,
>
> Markus did some investigation of this, but we still need to do a lot more
> testing. Thanks for the information.
>
> Frank
>
>
> >From: "Nebergall, Christopher" <cneberg at sandia.gov>
> >To: "'Frank Balluffi '" <fballuffi at hotmail.com>,"'kerberos at MIT.EDU '"
> ><kerberos at MIT.EDU>,"'krbdev at MIT.EDU '" <krbdev at MIT.EDU>
> >Subject: RE: SPNEGO APIs and Apache modules
> >Date: Thu, 4 Sep 2003 12:39:36 -0600
> >
> >If you hammer on a page with Internet Explorer it will send what MIT
> >Kerberos considers replays of the gss-init-sec-context tokens.  So in
order
> >to get around this you either need to always use SSL and disable the
replay
> >cache on the server, (Which unless the api has changed in recent versions
> >of
> >MIT Kerberos there is no api to do this), or it might also work to tweak
> >MIT's replay cache to include sequence numbers. (MS seems to pick a
random
> >number for their initial sequence number, and these seem to change with
> >each
> >request.)
> >
> >-Christopher Nebergall
> >
> >-----Original Message-----
> >From: Frank Balluffi
> >To: kerberos at MIT.EDU; krbdev at MIT.EDU
> >Sent: 9/3/2003 8:18 PM
> >Subject: SPNEGO APIs and Apache modules
> >
> >Markus Moeller and I have made SPNEGO C APIs and Apache modules
> >available at
> >https://sourceforge.net/projects/modgssapache/. The project contains
> >three
> >packages:
> >
> >fbopenssl
> >mod_spnego
> >modgssapache
> >
> >fbopenssl (for lack of a better name) is a library of extensions to
> >OpenSSL,
> >including APIs for GSS-API and SPNEGO ASN.1 messages (or PDUs).
> >fbopenssl
> >has been tested on Linux, Microsoft Windows and Sun Solaris. fbopenssl
> >still
> >needs to be tested for memory leaks using a tool like Purify.
> >
> >mod_spnego is an Apache 2.0 SPNEGO module that supports Kerberos
> >authentication and user-level authorization. mod_spnego uses fbopenssl,
> >MIT
> >GSS-API and OpenSSL. mod_spnego has been tested on Linux, Microsoft
> >Windows
> >and Sun Solaris using Microsoft Internet Explorer 6.0. Currently,
> >mod_spnego
> >does not support Apache 1.3 and group-level authorization.
> >
> >modgssapache is a modified version of the Apache 1.3 GSS-API module
> >located
> >at http://meta.cesnet.cz/software/heimdal/negotiate.en.html. This
> >version
> >has been modified to support SPNEGO using open-source SPNEGO APIs from
> >Microsoft. modgssapache has been tested on Linux and Sun Solaris.
> >
> >Frank
> >
> >_________________________________________________________________
> >Get 10MB of e-mail storage! Sign up for Hotmail Extra Storage.
> >http://join.msn.com/?PAGE=features/es
> >
> >_______________________________________________
> >krbdev mailing list             krbdev at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/krbdev
> >
>
> _________________________________________________________________
> Get a FREE computer virus scan online from McAfee.
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>

More information about the krbdev mailing list