[modauthtkt-users] DSA/RSA based derivative of mod_auth_tkt
Status: Beta
Brought to you by:
gonzai
From: Manuel K. <mk...@ne...> - 2008-02-03 22:03:04
|
Hello, while looking for a simple web single sign-on solution for the company that I work for, I stumbled upon mod_auth_tkt, and soon knew that this was the way to go for our needs. However, the fact that it uses a shared secret with MD5 (thus putting the master secret in each participating web server's config) prevented us from actually deploying it. I've therefore decided to modify mod_auth_tkt and create a new module (named mod_auth_pubtkt) that can use either DSA or RSA to verify the ticket - thus only the login server needs the private key, while the other web servers can work with just the public key. While I assume that most of those on this mailing list are happy with mod_auth_tkt, I thought that some might be interested in my module, and so I decided to share it here. My big thanks go out to the authors of mod_auth_tkt; it was very helpful to have a working module to start with, and I was able to reuse a lot of code. Here's the web page with a detailed description, instructions and the download: https://neon1.net/mod_auth_pubtkt It currently mandates the use of domain cookies, which still poses the (smaller) problem of cookie/ticket theft by rogue web servers under the same domain. I've successfully deployed the module on a few Apache 2.0 servers in one domain, and I've also done some cursory testing under Apache 1.3 and 2.2 - but only under FreeBSD and Mac OS X. Feedback is welcome, of course. Regards, Manuel |