The apache gears grind through the authentication handlers more than
once per-request, any number of times when trying to resolve a directory
request to index.html, index.htm, index.shtml, index.phtml, etc. This
is fine with most mod_auth* modules, because they are just a weak test
'if real_pw equals sent_pw'. However, with kerberos, httpd attempts
to authenticate using the same ticket sent by the client each time,
which kerberos treats as a replay attack. James and those who use
mod_auth_kerb with ApacheSSL+Basic challenge do not see this, since
httpd will obtain a ticket for you during each main/sub request with
the username/password sent by the browser. Below is a patch against
James' mod_auth_kerb inside the kerb_authenticate_user() handler.
Any concerns with this method of authenticating once per HTTP request?
-Doug
*** mod_auth_kerb-3.0.c.orig Thu Feb 6 17:43:18 1997
--- mod_auth_kerb-3.0.c Thu Feb 6 17:44:49 1997
***************
*** 814,820 ****
return AUTH_REQUIRED;
}
!
/*
* Did they send us a Basic auth anyways?
* If so, we have a client other than Kerberized NCSA Mosaic > 2.7
--- 814,827 ----
return AUTH_REQUIRED;
}
!
! if(r->main != NULL) /* this is a sub-request */
! return OK;
! else if(r->prev != NULL) /* this is an internal_redirect */
! return OK;
! /* this is the initial main request, we only get here *once* per HTTP request */
! /* let's go on to authenticate... */
!
/*
* Did they send us a Basic auth anyways?
* If so, we have a client other than Kerberized NCSA Mosaic > 2.7
|