SPNEGO APIs and Apache modules
markus_moeller at compuserve.com
Tue Sep 9 14:37:48 EDT 2003
I did look into this and saw that especially if I click refresh I get replay
attack errors in the logfile and a popup window requesting authentication.
----- Original Message -----
From: "Frank Balluffi" <fballuffi at hotmail.com>
To: <cneberg at sandia.gov>
Cc: <markus_moeller at compuserve.com>
Sent: Thursday, September 04, 2003 9:55 PM
Subject: RE: SPNEGO APIs and Apache modules
> Markus did some investigation of this, but we still need to do a lot more
> testing. Thanks for the information.
> >From: "Nebergall, Christopher" <cneberg at sandia.gov>
> >To: "'Frank Balluffi '" <fballuffi at hotmail.com>,"'kerberos at MIT.EDU '"
> ><kerberos at MIT.EDU>,"'krbdev at MIT.EDU '" <krbdev at MIT.EDU>
> >Subject: RE: SPNEGO APIs and Apache modules
> >Date: Thu, 4 Sep 2003 12:39:36 -0600
> >If you hammer on a page with Internet Explorer it will send what MIT
> >Kerberos considers replays of the gss-init-sec-context tokens. So in
> >to get around this you either need to always use SSL and disable the
> >cache on the server, (Which unless the api has changed in recent versions
> >MIT Kerberos there is no api to do this), or it might also work to tweak
> >MIT's replay cache to include sequence numbers. (MS seems to pick a
> >number for their initial sequence number, and these seem to change with
> >-Christopher Nebergall
> >-----Original Message-----
> >From: Frank Balluffi
> >To: kerberos at MIT.EDU; krbdev at MIT.EDU
> >Sent: 9/3/2003 8:18 PM
> >Subject: SPNEGO APIs and Apache modules
> >Markus Moeller and I have made SPNEGO C APIs and Apache modules
> >available at
> >https://sourceforge.net/projects/modgssapache/. The project contains
> >fbopenssl (for lack of a better name) is a library of extensions to
> >including APIs for GSS-API and SPNEGO ASN.1 messages (or PDUs).
> >has been tested on Linux, Microsoft Windows and Sun Solaris. fbopenssl
> >needs to be tested for memory leaks using a tool like Purify.
> >mod_spnego is an Apache 2.0 SPNEGO module that supports Kerberos
> >authentication and user-level authorization. mod_spnego uses fbopenssl,
> >GSS-API and OpenSSL. mod_spnego has been tested on Linux, Microsoft
> >and Sun Solaris using Microsoft Internet Explorer 6.0. Currently,
> >does not support Apache 1.3 and group-level authorization.
> >modgssapache is a modified version of the Apache 1.3 GSS-API module
> >at http://meta.cesnet.cz/software/heimdal/negotiate.en.html. This
> >has been modified to support SPNEGO using open-source SPNEGO APIs from
> >Microsoft. modgssapache has been tested on Linux and Sun Solaris.
> >Get 10MB of e-mail storage! Sign up for Hotmail Extra Storage.
> >krbdev mailing list krbdev at mit.edu
> Get a FREE computer virus scan online from McAfee.
More information about the krbdev