Re: mod_radius_auth & digest auth
04-Mar-03 at 19:01, Josh Howlett ([EMAIL PROTECTED]) wrote : > On Tue, 2003-03-04 at 13:47, Alan DeKok wrote: > > > In this hypothetical case, would it be feasible for a user to present > > > the same cookie to a different WWW server, which could then attempt to > > > authenticate the user by passing the cookie to the remote RADIUS > > > server? (ie. thereby avoiding the need for the user to present his > > > credentials again - the idea being to enable single sign-on). > > > > > > Is this idea crack-pot or simply brain-dead? > > > > It's a hack, but I see reason why it wouldn't work. > > You think this is a hack? You should read the Project Liberty or M$ > Passport specs :-) I'd rather read War and Peace in Russian (not a tongue I am familiar with) rather than reading M$ Passport specs! The sad thing is, that I might end up having to read that Passport rubbish if MS get their way and dominate the corporate Internet services marketplace. Somehow, I don't think they will. When I speak to anyone about MS future plans, people start asking me when I can start migration to Linux ;-) Some of those points: - New windows version will not be backwards compatible - New Office may not be backwards compatible - Filesytems will not be backwards compatible - Digital Rights Management and all that Cheers, -- [-Partly Cloudy in Rabat, 18°C/64°F. Wind: NNW strength 7. Humidity: 88%-] Men never do evil so completely and cheerfully as when they do it from religious conviction. -- Blaise Pascal [Linux user 170823|XML Weather:www.interceptvector.com|.sig:vim/mutt/perl] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_radius_auth & digest auth
On Tue, 2003-03-04 at 13:47, Alan DeKok wrote: > > In this hypothetical case, would it be feasible for a user to present > > the same cookie to a different WWW server, which could then attempt to > > authenticate the user by passing the cookie to the remote RADIUS > > server? (ie. thereby avoiding the need for the user to present his > > credentials again - the idea being to enable single sign-on). > > > > Is this idea crack-pot or simply brain-dead? > > It's a hack, but I see reason why it wouldn't work. You think this is a hack? You should read the Project Liberty or M$ Passport specs :-) josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_radius_auth & digest auth
Josh Howlett <[EMAIL PROTECTED]> wrote: > Assume that there was a mechanism to send the cookie generated by > mod_auth_radius to the remote RADIUS server where it could be stored > (for the lifetime of the cookie). That would probably not be a good idea, mostly due to increased load on the RADIUS server. > Assume also that there existed an "rlm_cookie" authentication module on > that remote RADIUS server that allows the RADIUS server to authenticate > a user on the basis of a cookie. > > In this hypothetical case, would it be feasible for a user to present > the same cookie to a different WWW server, which could then attempt to > authenticate the user by passing the cookie to the remote RADIUS > server? (ie. thereby avoiding the need for the user to present his > credentials again - the idea being to enable single sign-on). > > Is this idea crack-pot or simply brain-dead? It's a hack, but I see reason why it wouldn't work. You would want to be careful creating the cookie. See the current 'mod_auth_radius' code for it's method. You want the cookie to be signed (somehow), to contain a timestamp for expiry, some users credentials (IP, name etc), to minimize the potential for someone to snoop the cookie and use it themselves. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_radius_auth & digest auth
On Tue, 2003-03-04 at 12:00, Alan DeKok wrote: > Josh Howlett <[EMAIL PROTECTED]> wrote: > > To clarify, I want users to authenticate via HTTP via mod_auth_radius > > against a remote RADIUS server without the intermediate WWW server (or, > > for that matter, anything else) gaining knowledge of the user's > > password. > > > > Assuming mod_auth_radius implemented digest authentication, is this a > > workable solution? > > Yes. And it shouldn't be too hard to do, either. Take entries from > Apache's data structures, pack them into a RADIUS packet, and fire it > off. Interesting. Assume that there was a mechanism to send the cookie generated by mod_auth_radius to the remote RADIUS server where it could be stored (for the lifetime of the cookie). Assume also that there existed an "rlm_cookie" authentication module on that remote RADIUS server that allows the RADIUS server to authenticate a user on the basis of a cookie. In this hypothetical case, would it be feasible for a user to present the same cookie to a different WWW server, which could then attempt to authenticate the user by passing the cookie to the remote RADIUS server? (ie. thereby avoiding the need for the user to present his credentials again - the idea being to enable single sign-on). Is this idea crack-pot or simply brain-dead? josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_radius_auth & digest auth
Josh Howlett <[EMAIL PROTECTED]> wrote: > To clarify, I want users to authenticate via HTTP via mod_auth_radius > against a remote RADIUS server without the intermediate WWW server (or, > for that matter, anything else) gaining knowledge of the user's > password. > > Assuming mod_auth_radius implemented digest authentication, is this a > workable solution? Yes. And it shouldn't be too hard to do, either. Take entries from Apache's data structures, pack them into a RADIUS packet, and fire it off. FreeRADIUS does the hard work of unpacking them, and doing the authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_radius_auth & digest auth
On Tue, 2003-03-04 at 11:22, Alan DeKok wrote: > Josh Howlett <[EMAIL PROTECTED]> wrote: > > In the docs, it states the mod_radius_auth does not support digest > > authentication. > > > > Is this by virtue of it being impossible-in-principle, or merely > > as-yet-not-implemented? > > When the module was written, there was no standard for doing digest > authentication over RADIUS. Last year, Cisco proposed an IETF > standard to do this for SIP. It was rejected, but FreeRADIUS supports > it. > > If you can modify mod_auth_radius to pack the digest information > into RADIUS attributes as per 'doc/rfc/draft-sterman-aaa-sip-00.txt', > then FreeRADIUS will be able to authenticate them. To clarify, I want users to authenticate via HTTP via mod_auth_radius against a remote RADIUS server without the intermediate WWW server (or, for that matter, anything else) gaining knowledge of the user's password. Assuming mod_auth_radius implemented digest authentication, is this a workable solution? thanks, josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_radius_auth & digest auth
Josh Howlett <[EMAIL PROTECTED]> wrote: > In the docs, it states the mod_radius_auth does not support digest > authentication. > > Is this by virtue of it being impossible-in-principle, or merely > as-yet-not-implemented? When the module was written, there was no standard for doing digest authentication over RADIUS. Last year, Cisco proposed an IETF standard to do this for SIP. It was rejected, but FreeRADIUS supports it. If you can modify mod_auth_radius to pack the digest information into RADIUS attributes as per 'doc/rfc/draft-sterman-aaa-sip-00.txt', then FreeRADIUS will be able to authenticate them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html