Thread: [modauthkerb] Problems with SaveCredentials and KrbLifetime
Brought to you by:
kouril
Menu
▾
▴
modauthkerb-help
|
From: <rbr...@pi...> - 2007-08-10 10:22:28
|
Hi all
We have still some problems with our Kerberos Authentication ... all 5 mi=
nutes it will popup the loginwindow and i do not know why ...
Have setup the savecredentials and the krblifetime flag, but krblifetime =
is not recognized, still say in error log misspelled or not included, what =
make I wrong? Here the config of the .htaccess File... thanks for helping..=
.
# Kerberos f=FCr User Auth
AuthType KerberosV5
KrbAuthRealms STANS.PILATUS-AIRCRAFT.COM
KrbServiceName HTTP
Krb5Keytab /usr/local/httpd/conf/krb/chsts052_keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbSaveCredentials on
#KrbExpireReauth On #Do not work, misspelled or not included??=
??
#KrbLifetime 600 #Do not work, misspelled or not included??=
??
Mit freundlichem Gruss
Br=FChlmann Reto
Br=FChlmann Reto
Head of LII Web & Security
Webmaster, Sys - and Security Administrator
__________________________________
Pilatus Aircraft Ltd
P.O. Box 992, 6371 Stans, Switzerland
+41 41 619 66 39 Phone
+41 41 619 66 25 Fax
+41 79 800 40 31 Mobile
rbr...@pi...
www.pilatus-aircraft.com
***DISCLAIMER***
The information and any attachments (herein referred to as 'document') tr=
ansmitted is intended only for the person or entity to which it is addresse=
d. It may contain confidential and/or privileged information. If you are no=
t the intended recipient of this document, you are hereby notified that any=
dissemination, distribution, copying, other use of, or taking any action i=
n reliance upon this document by persons or entities other than the intende=
d recipient is illegal and prohibited. If you have received this in error, =
please immediately notify the sender, permanently delete the original from =
any computer and/or system, and destroy any printout of the 'document'. We =
thank you for your co-operation in this matter. Pilatus Aircraft Ltd. |
|
From: Mikkel K. J. <mi...@li...> - 2007-08-10 10:29:21
|
Hi Brühlmann Have you tried to set: KrbVerifyKDC off /Mikkel On Fri, 2007-08-10 at 12:21 +0200, Brühlmann Reto wrote: > Hi all > > > > We have still some problems with our Kerberos Authentication … all 5 > minutes it will popup the loginwindow and i do not know why … > > > > Have setup the savecredentials and the krblifetime flag, but > krblifetime is not recognized, still say in error log misspelled or > not included, what make I wrong? Here the config of the .htaccess > File… thanks for helping… > > > > # Kerberos für User Auth > > AuthType KerberosV5 > > KrbAuthRealms STANS.PILATUS-AIRCRAFT.COM > > KrbServiceName HTTP > > Krb5Keytab /usr/local/httpd/conf/krb/chsts052_keytab > > KrbMethodNegotiate on > > KrbMethodK5Passwd on > > KrbSaveCredentials on > > #KrbExpireReauth On #Do not work, misspelled or not included???? > > #KrbLifetime 600 #Do not work, misspelled or not included???? > > > > Mit freundlichem Gruss > Brühlmann Reto > > Brühlmann Reto > Head of LII Web & Security > Webmaster, Sys - and Security Administrator > __________________________________ > > Pilatus Aircraft Ltd > P.O. Box 992, 6371 Stans, Switzerland > > +41 41 619 66 39 Phone > +41 41 619 66 25 Fax > +41 79 800 40 31 Mobile > > rbr...@pi... > www.pilatus-aircraft.com > > > > > > ***DISCLAIMER*** > The information and any attachments (herein referred to as 'document') > transmitted is intended only for the person or entity to which it is > addressed. It may contain confidential and/or privileged information. > If you are not the intended recipient of this document, you are hereby > notified that any dissemination, distribution, copying, other use of, > or taking any action in reliance upon this document by persons or > entities other than the intended recipient is illegal and prohibited. > If you have received this in error, please immediately notify the > sender, permanently delete the original from any computer and/or > system, and destroy any printout of the 'document'. We thank you for > your co-operation in this matter. Pilatus Aircraft Ltd. > > > !DSPAM:46bc3c69147581081714495! > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > !DSPAM:46bc3c69147581081714495! > _______________________________________________ > modauthkerb-help mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > !DSPAM:46bc3c69147581081714495! Mikkel Kruse Johnsen Adm.Dir. Linet Ørholmgade 6 st tv Copenhagen N 2200 Denmark Work: +45 21287793 Mobile: +45 21287793 Email: mi...@li... IM: mi...@li... (MSN) Professional Profile Healthcare Network Consultant |
|
From: <rbr...@pi...> - 2007-08-10 11:20:23
|
Hi Mikkel... Is this not a security hole then? I remember something about KrbVerifyKDC= that is not recommended to disable it? Are I wrong with this? Reto ________________________________ From: Mikkel Kruse Johnsen [mailto:mi...@li...] Sent: Freitag, 10. August 2007 12:29 To: Br=FChlmann Reto Cc: mod...@li... Subject: Re: [modauthkerb] Problems with SaveCredentials and KrbLifetime Hi Br=FChlmann Have you tried to set: KrbVerifyKDC off /Mikkel On Fri, 2007-08-10 at 12:21 +0200, Br=FChlmann Reto wrote: Hi all We have still some problems with our Kerberos Authentication ... all 5 mi= nutes it will popup the loginwindow and i do not know why ... Have setup the savecredentials and the krblifetime flag, but krblifetime = is not recognized, still say in error log misspelled or not included, what = make I wrong? Here the config of the .htaccess File... thanks for helping..= . # Kerberos f=FCr User Auth AuthType KerberosV5 KrbAuthRealms STANS.PILATUS-AIRCRAFT.COM KrbServiceName HTTP Krb5Keytab /usr/local/httpd/conf/krb/chsts052_keytab KrbMethodNegotiate on KrbMethodK5Passwd on KrbSaveCredentials on #KrbExpireReauth On #Do not work, misspelled or not included???? #KrbLifetime 600 #Do not work, misspelled or not included???? Mit freundlichem Gruss Br=FChlmann Reto Br=FChlmann Reto Head of LII Web & Security Webmaster, Sys - and Security Administrator __________________________________ Pilatus Aircraft Ltd P.O. Box 992, 6371 Stans, Switzerland +41 41 619 66 39 Phone +41 41 619 66 25 Fax +41 79 800 40 31 Mobile rbr...@pi... www.pilatus-aircraft.com ***DISCLAIMER*** The information and any attachments (herein referred to as 'document') t= ransmitted is intended only for the person or entity to which it is address= ed. It may contain confidential and/or privileged information. If you are n= ot the intended recipient of this document, you are hereby notified that an= y dissemination, distribution, copying, other use of, or taking any action = in reliance upon this document by persons or entities other than the intend= ed recipient is illegal and prohibited. If you have received this in error,= please immediately notify the sender, permanently delete the original from= any computer and/or system, and destroy any printout of the 'document'. We= thank you for your co-operation in this matter. Pilatus Aircraft Ltd. !DSPAM:46bc3c69147581081714495! ------------------------------------------------------------------------= - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ !DSPAM:46bc3c69147581081714495! _______________________________________________ modauthkerb-help mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/modauthkerb-help !DSPAM:46bc3c69147581081714495! Mikkel Kruse Johnsen Adm.Dir. Linet <http://www.linet.dk> =D8rholmgade 6 st tv <http://maps.google.com/maps?q=3D%D8rholmgade+6+st+t= v%2CCopenhagen+N+2200%2CDenmark&hl=3Den> Copenhagen N 2200 Denmark <http://www.linkedin.com/img/signature/pic_plastic_cool_26x130.gif> Work: +45 21287793 Mobile: +45 21287793 Email: mi...@li... <mailto:mi...@li...> IM: mi...@li... (MSN) <http://www.linkedin.com/img/signature/icon_in_blue_14x14.gif> Professio= nal Profile <http://www.linkedin.com/pub/3/333/803> Healthcare <http://www.xmedicus.dk> <http://www.linet.dk/images/Image/linet-logo.gif> Network Consultant ***DISCLAIMER*** The information and any attachments (herein referred to as 'document') tr= ansmitted is intended only for the person or entity to which it is addresse= d. It may contain confidential and/or privileged information. If you are no= t the intended recipient of this document, you are hereby notified that any= dissemination, distribution, copying, other use of, or taking any action i= n reliance upon this document by persons or entities other than the intende= d recipient is illegal and prohibited. If you have received this in error, = please immediately notify the sender, permanently delete the original from = any computer and/or system, and destroy any printout of the 'document'. We = thank you for your co-operation in this matter. Pilatus Aircraft Ltd. |
|
From: Mikkel K. J. <mi...@li...> - 2007-08-10 11:31:39
|
Hi Reto I think you are right, It has something security problems with replay. But I really don't no much about it. Mayby someone here could explain the KrbVerifyKDC ? /Mikkel On Fri, 2007-08-10 at 13:20 +0200, Brühlmann Reto wrote: > Hi Mikkel… > > > > Is this not a security hole then? I remember something about > KrbVerifyKDC that is not recommended to disable it? Are I wrong with > this? > > > > Reto > > > > > > ______________________________________________________________________ > > From:Mikkel Kruse Johnsen [mailto:mi...@li...] > Sent: Freitag, 10. August 2007 12:29 > To: Brühlmann Reto > Cc: mod...@li... > Subject: Re: [modauthkerb] Problems with SaveCredentials and > KrbLifetime > > > > > > Hi Brühlmann > > Have you tried to set: > > KrbVerifyKDC off > > /Mikkel > > On Fri, 2007-08-10 at 12:21 +0200, Brühlmann Reto wrote: > > Hi all > > > > We have still some problems with our Kerberos Authentication … all 5 > minutes it will popup the loginwindow and i do not know why … > > > > Have setup the savecredentials and the krblifetime flag, but > krblifetime is not recognized, still say in error log misspelled or > not included, what make I wrong? Here the config of the .htaccess > File… thanks for helping… > > > > # Kerberos für User Auth > > AuthType KerberosV5 > > KrbAuthRealms STANS.PILATUS-AIRCRAFT.COM > > KrbServiceName HTTP > > Krb5Keytab /usr/local/httpd/conf/krb/chsts052_keytab > > KrbMethodNegotiate on > > KrbMethodK5Passwd on > > KrbSaveCredentials on > > #KrbExpireReauth On #Do not work, misspelled or not included???? > > #KrbLifetime 600 #Do not work, misspelled or not included???? > > > > Mit freundlichem Gruss > Brühlmann Reto > > Brühlmann Reto > Head of LII Web & Security > Webmaster, Sys - and Security Administrator > __________________________________ > > Pilatus Aircraft Ltd > P.O. Box 992, 6371 Stans, Switzerland > > +41 41 619 66 39 Phone > +41 41 619 66 25 Fax > +41 79 800 40 31 Mobile > > rbr...@pi... > www.pilatus-aircraft.com > > > > > > > > ***DISCLAIMER*** > > The information and any attachments (herein referred to as > > 'document') transmitted is intended only for the person or entity to > > which it is addressed. It may contain confidential and/or privileged > > information. If you are not the intended recipient of this document, > > you are hereby notified that any dissemination, distribution, > > copying, other use of, or taking any action in reliance upon this > > document by persons or entities other than the intended recipient is > > illegal and prohibited. If you have received this in error, please > > immediately notify the sender, permanently delete the original from > > any computer and/or system, and destroy any printout of the > > 'document'. We thank you for your co-operation in this matter. > > Pilatus Aircraft Ltd. > > > > > > > > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Splunk Inc. > > Still grepping through log files to find problems? Stop. > > Now Search log events and configuration files using AJAX and a browser. > > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > > > !DSPAM:46bc3c69147581081714495! > > _______________________________________________ > > modauthkerb-help mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > > > !DSPAM:46bc3c69147581081714495! > > Mikkel Kruse > Johnsen > Adm.Dir. > > Linet > Ørholmgade 6 st > tv > Copenhagen N 2200 > Denmark > > > > > > Work: +45 > 21287793 > Mobile: +45 > 21287793 > Email: > mi...@li... > IM: > mi...@li... > (MSN) > Professional > Profile > Healthcare > > > > > Network > Consultant > > > > > > > > > > ***DISCLAIMER*** > The information and any attachments (herein referred to as 'document') > transmitted is intended only for the person or entity to which it is > addressed. It may contain confidential and/or privileged information. > If you are not the intended recipient of this document, you are hereby > notified that any dissemination, distribution, copying, other use of, > or taking any action in reliance upon this document by persons or > entities other than the intended recipient is illegal and prohibited. > If you have received this in error, please immediately notify the > sender, permanently delete the original from any computer and/or > system, and destroy any printout of the 'document'. We thank you for > your co-operation in this matter. Pilatus Aircraft Ltd. > > > !DSPAM:46bc49f2150371336712104! Mikkel Kruse Johnsen Adm.Dir. Linet Ørholmgade 6 st tv Copenhagen N 2200 Denmark Work: +45 21287793 Mobile: +45 21287793 Email: mi...@li... IM: mi...@li... (MSN) Professional Profile Healthcare Network Consultant |
|
From: Henry B. H. <ho...@jp...> - 2007-08-10 19:15:28
|
KrbVerifyKDC will prevent someone from spoofing your KDC to the web =20 server. It's only relevant if you are prompting for passwords, and =20 not if "negotiate" is being used. I think there's a pretty good =20 description of the issue in the Kerberos FAQ. I'd say the option might be useful for debugging, but a bad thing to =20 deploy with. For the other options you might take a look at <http://=20 modauthkerb.sourceforge.net/configure.html> since you are talking =20 about options I have not seen or used with mod_auth_kerb. On Aug 10, 2007, at 4:31 AM, Mikkel Kruse Johnsen wrote: > Hi Reto > > I think you are right, It has something security problems with =20 > replay. But I really don't no much about it. > > Mayby someone here could explain the KrbVerifyKDC ? > > /Mikkel > > On Fri, 2007-08-10 at 13:20 +0200, Br=FChlmann Reto wrote: >> Hi Mikkel=85 >> >> >> >> Is this not a security hole then? I remember something about =20 >> KrbVerifyKDC that is not recommended to disable it? Are I wrong =20 >> with this? >> >> >> >> Reto >> >> >> >> From:Mikkel Kruse Johnsen [mailto:mi...@li...] >> Sent: Freitag, 10. August 2007 12:29 >> To: Br=FChlmann Reto >> Cc: mod...@li... >> Subject: Re: [modauthkerb] Problems with SaveCredentials and =20 >> KrbLifetime >> >> >> >> >> Hi Br=FChlmann >> >> Have you tried to set: >> >> KrbVerifyKDC off >> >> /Mikkel >> >> On Fri, 2007-08-10 at 12:21 +0200, Br=FChlmann Reto wrote: >> >> Hi all >> >> >> >> We have still some problems with our Kerberos Authentication =85 all =20= >> 5 minutes it will popup the loginwindow and i do not know why =85 >> >> >> >> Have setup the savecredentials and the krblifetime flag, but =20 >> krblifetime is not recognized, still say in error log misspelled =20 >> or not included, what make I wrong? Here the config of =20 >> the .htaccess File=85 thanks for helping=85 >> >> >> >> # Kerberos f=FCr User Auth >> >> AuthType KerberosV5 >> >> KrbAuthRealms STANS.PILATUS-AIRCRAFT.COM >> >> KrbServiceName HTTP >> >> Krb5Keytab /usr/local/httpd/conf/krb/chsts052_keytab >> >> KrbMethodNegotiate on >> >> KrbMethodK5Passwd on >> >> KrbSaveCredentials on >> >> #KrbExpireReauth On #Do not work, misspelled or not included???? >> >> #KrbLifetime 600 #Do not work, misspelled or not included???? >> >> >> >> Mit freundlichem Gruss >> Br=FChlmann Reto ------------------------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Hen...@jp..., or hb...@ox... |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X