Stop passing password through to web applications

Brought to you by: kouril

#16 Stop passing password through to web applications

Milestone: functionality

Status: open

Owner: nobody

Labels: mod_auth_kerb (18)

Priority: 5

Updated: 2010-03-18

Created: 2010-03-18

Creator: Anonymous

Private: No

When using KrbMethodK5Passwd, it is possible to see the user-entered password from a php script by reading the variable $_SERVER["PHP_AUTH_PW"]. I think there must be an option to remove this value out of the headers list passed through to scripts and applications - i think not only php is able to get this value.

Just check with this script:
<?php
echo date('j.n.Y H:i:s').'<br/>';
echo $_SERVER["REMOTE_USER"].'<br/>';
echo $_SERVER["AUTH_TYPE"].'<br/>';
echo $_SERVER["PHP_AUTH_PW"].'<br/>';
?>

Discussion

Anonymous - 2010-03-18

was my report - just forgot to login

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Robert J Townley - 2010-05-13

If the idea of this module is for users to use their preexisting freeipa or ActiveDirectory credentials as a logon for a website, then something is wrong - very wrong.

If this apache module does real Kerberos, a client's password would never have to be sent to the web server. The client may need to send their password to the central kerberos key distribution center (Domain Controller) and then get a ticket for the kerberized apache website from the ticket granting server. The ticket would then be presented to the kerberized apache webserver for mutual authentication. Again, done right, the webserver should never ever receive a password.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2010-05-13

It might not be the optimal way to check the users credentials. But when you offer some different services to users, it is much simpler to use a web-server-side password check than implementing any single sign on solution into each of these services.
Why? because server-side password checks are standardized and easy to handle for each application, so many of them are already able to use that by simply changing some configuration options. For a single sign on you have to install at least third party modules or you even have to do some own programming to connect them to the login service.

Another thing:
You never have controll over all browsers in the world. Just think on ipod users using your site - they will never be able to do a kerberos login to a web site. and there are also old internet explorer users. btw. a kerberos server should never be reachable directly from the internet. that is the reason you made the option to do server-side credential checks. and when you provide such an option you should also provide an option to hide the password when it is not needed anymore.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.