AFSandtheWeb Using PAM for Apache for an authorized



Similar documents
Proceedings of the 5 th Annual Linux Showcase & Conference




N servers. Load-Balancing. A(t) speed s. clients. αn servers. (i) speed s. N servers speed αs. (ii)


Service -realization. Imported web -service interfaces. Web -service usage interface. Web -service specification. client. build/buy reuse/buy

Best Place to Find Information on Marriage

ORB User Sponsor Client Authenticate User Request Principal Create Credentials Authenticator Attributes ORB




NON-COMPRESSED PGP MESSAGE L E N G T H M O D E C T B NAME LENGTH SEDP PACKET

b c d bidirectional link unidirectional link


Protecting Web Servers from Distributed Denial of Service Attacks


Managing Access Control in PresSTORE

SchoolBooking SSO Integration Guide

1 Introduction Product overview Product description System requirements Software support... 7

Enabling Active Directory Authentication with ESX Server 1


IPsec (enc) IPsec extensions Ethernet Driver. etherip_input() bridge_input()

Setting Up the Mercent Marketplace Price Optimizer Extension

TIBCO Spotfire Platform IT Brief



HowHow to Choose a Good Stock Broker For 2008


nitrobit update server

Integration with Active Directory. Jeremy Allison Samba Team

Lecture 10 - Authentication

ClockWork Enterprise 5

Integrating Lustre with User Security Administration. LAD 15 // Chris Gouge // 2015 Sep

Unifying Authorization Models

CAC AND KERBEROS FROM VISION TO REALITY

WHMCS LUXCLOUD MODULE

GL254 - RED HAT ENTERPRISE LINUX SYSTEMS ADMINISTRATION III


How To Set Up An Openfire With Libap On A Cdd (Dns) On A Pc Or Mac Or Ipad (Dnt) On An Ipad Or Ipa (Dn) On Your Pc Or Ipo (D


VINTELA AUTHENTICATION SERVICES

CERN Single Sign On. Emmanuel Ormancey CERN IT/IS. CERN IT Department CH-1211 Genève 23 Switzerland

Session 17 Windows 7 Professional DNS & Active Directory(Part 2)

CYAN SECURE WEB HOWTO. NTLM Authentication

Guide to Web Hosting in CIS. Contents. Information for website administrators. ITEE IT Support

Foreign Network. Correspondent. Host. Internet. Mobile. Host. Home Network. Agent


RedHat (RHEL) System Administration Course Summary

RSA AUTHENTICATION AGENT SUPPORTED PLATFORMS

Pandora FMS 3.0 Quick User's Guide: Network Monitoring. Pandora FMS 3.0 Quick User's Guide

Service Desk R11.2 Upgrade Procedure - Resetting USD passwords and unlocking accounts in etrust Web Admin

Xerox DocuShare Security Features. Security White Paper

Windows Security and Directory Services for UNIX using Centrify DirectControl

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

INUVIKA OVD SUPPORT SUPPORT SYSTEM GUIDE. Mathieu Schires Version 1.1 Published 28/04/2015

Ulteo Open Virtual Desktop - Protocol Description

FreeRADIUS Install and Configuration. Joel Jaeggli 05/04/2006

Exploiting the Web with Tivoli Storage Manager

enetworks TM Using the Syslog Feature C.1 Configuring the Syslog Feature

GL550 - Enterprise Linux Security Administration

ICANWK504A Design and implement an integrated server solution

Oracle Desktop Virtualization

ENTERPRISE LINUX SECURITY ADMINISTRATION

Authentication Methods


LDAP User Service Guide 30 June 2006


import on display extract edges write

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

Remote Authentication and Single Sign-on Support in Tk20

MQ Authenticate User Security Exit Overview

Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference

IBM Security Access Manager for Enterprise Single Sign-On V8.2 Implementation Exam.

<Insert Picture Here> Hudson Security Architecture. Winston Prakash. Click to edit Master subtitle style

DL reasoner Ontology Store

Livezilla How to Install on Shared Hosting By: Jon Manning

Secret Server Qualys Integration Guide


CRYPTOCard Authentication. Using PAM for Linux and Solaris. Quick Start Guide. Copyright CRYPTOCard Corporation All Rights Reserved

<<program>> Internet Trader. <<user>> user interface

Interwise Connect. Working with Reverse Proxy Version 7.x

AXIGEN Mail Server. Quick Installation and Configuration Guide. Product version: 6.1 Document version: 1.0

Implementing Linux Authentication and Authorisation Using SSSD

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity



OpenWBEM Getting Started Guide. Author: Dan Nuffer Last update: 12/09/04


Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Apache HTTP Server

OMU350 Operations Manager 9.x on UNIX/Linux Advanced Administration

How To Secure An Emr-Link System Architecture

REMOTE ACCESS USER GUIDE

Architecture and Mode of Operation


Transcription:

ØØÔ»» Ö ÚºØÙ¹ ÑÒ ØÞº»ÔÙ»¾¼¼¼»¼¼ ¾» AFSandtheWeb Using PAM for Apache for an authorized accesstoafsfilespacefromtheweb Thomas Müller Chemnitz University of Technology, Computer Center Thomas.Mueller@hrz.tu-chemnitz.de 14./15. 12. 2000 AFS Meeting 2000 Garching 1

14./15. 12. 2000 AFS Meeting 2000 Garching 2»»ØÙ¹ ÑÒ ØÞº» ÓÑ»ÙÖÞ»Ø»Ø Ñ»ÔÙ Ð ØÑл Ò Üº ØÑÐ AFSandtheWeb Our situation Apache 1.3.x(with mod ssl) on Solaris and Redhat Linux several L4 switched servers arestoredinafs allwebpagesof ØØÔ»»ÛÛÛºØÙ¹ ÑÒ ØÞº» especially user web space, e.g. is resolved to ØØÔ»»ÛÛÛºØÙ¹ ÑÒ ØÞº» Ø Ñ»

Goals optional usage of AFS/Kerberos authentication optional usage of AFS file protection(acl) user-driven fall back to Apache s own authentication scheme no changes of Apache source code 14./15. 12. 2000 AFS Meeting 2000 Garching 3

request handling by Apache master daemon forwards received requests to one of its children request handling is broken down into a series of steps URIµfilename translation authentication checking... sendingtheresponsetotheclient logging Apache modules may add funtionality to each step 14./15. 12. 2000 AFS Meeting 2000 Garching 4

Pluggable Authentication Modules user user user login ftpd xdm dtlogin xlock Authentication Management Account Mangement Password Management Session Management UNIX DCE Security Service AFS S/Key Config File System Admin PAM Application Program Interface PAM Service Provider Interface 14./15. 12. 2000 AFS Meeting 2000 Garching 5

modauthpam ApachemoduleÑÓ Ô Ñ ÙØ byingolütkebohle: enables Apache to use PAM for authenticating remote users ØØÔ»»Ô Ѻ ÓÙÖ ÓÖ ºÒ Ø»ÑÓ ÙØ Ô Ñ» implements the PAM module types: authentication management account management doesn t handle credentials(afs token)- Apache knows nothing about different users in the filesystem 14./15. 12. 2000 AFS Meeting 2000 Garching 6

ËËÄÊ ÕÙ Ö ËËÄ ± غ Ø ÙØ Æ Ñ Ë ÙÖ Ö ÙØ ÌÝÔ Ù È Å ÙÐص ÙØ È Å Ò Ð ÓÒ Ö ÕÙ Ö Ú Ð ¹Ù Ö ÙØ È Å ÐÐÌ ÖÓÙ Ó ÝÔ ÓØ Ö ÙØ ÑÓ ÙÐص AFSandtheWeb Example 1 14./15. 12. 2000 AFS Meeting 2000 Garching 7 ÓÙÒØÖ ÕÙ Ö Ô Ñ º Óº½ ÙØ Ö ÕÙ Ö Ô Ñ º Óº½ ÒÓÖ ÖÓÓØ ± Ø» Ø»Ô Ñº» ØØÔ

ºººººººººººººººººººººººººººººººººººººººººººººººººººº init µ... auth Þ... ººººººººººººººººººººººººººººº Þ logging modauthpam pamauthenticate(...) pam afs.so.1 pamsmauthenticate(...) if(!fork()) ka VerifyUserPassword(...+ KA USERAUTH DOSETPAG,...) 14./15. 12. 2000 AFS Meeting 2000 Garching 8

Effects 1 authentication seems to work but wedon tgetanafstoken hangs sometimes(seems it doesn t wait correctly for the child s termination) each request creates a new PAG 14./15. 12. 2000 AFS Meeting 2000 Garching 9

Solution considerthehandlingofahttprequestasakindofa session modify the Apache module mod auth pam implement session management as an optional feature(storing and removing of credentials) modify the AFS-PAM pam afs.so.1 make the fork() optional findabetterwaytohandlepags 14./15. 12. 2000 AFS Meeting 2000 Garching 10

ËËÄÊ ÕÙ Ö ËËÄ ± غ Ø ÙØ Æ Ñ Ë ÙÖ Ö ÙØ ÌÝÔ ØÖ ÒØ Ð ÙØ È ÅË Ø Ö ÓÒ ± Ø» Ø»Ô Ñº» ØØÔ Ö ÕÙ Ö Ú Ð ¹Ù Ö AFSandtheWeb Example 2 14./15. 12. 2000 AFS Meeting 2000 Garching 11 ÓÒÓÔØ ÓÒ ÐÔ Ñ º Óº½ Ö ÕÙ Ö Ô Ñ º Óº½ ÒÓÖ ÖÓÓØ ÓÒØ ÓÖ ÓÙÒØÖ ÕÙ Ö Ô Ñ º Óº½ ÙØ

ºººººººººººººººººººººººººººººººººººººººººººººººººººº init µ... auth Þ... ººººººººººººººººººººººººººººº Þ logging modauthpam pamauthenticate(...) if(authpam SetCred) pam close session(...) pamsetcred(...) Å Å Å µ pam afs.so.1 pamsmauthenticate(...) setpag() kaverifyuserpassword(...) pamsmclosesession(...) ktcforgetalltokens(...) pamsmsetcred(...) ka UserAuthenticateGeneral(...) 14./15. 12. 2000 AFS Meeting 2000 Garching 12

Effects 2 optional usage of AFS/Kerberos authentication optional usage of AFS file protection ÙØ È Å Ò Ð ÓÒ Ó user-driven fall back to Apache s own protection ÙØ È ÅË Ø Ö ÓÒ Ó scheme controlledbyº Ø 14./15. 12. 2000 AFS Meeting 2000 Garching 13

Effects 2 each request creates a new PAG Ø Ø µstherequestedfilebeforetheauthstep workaround:provideðóó ÙÔpermissiontothe workaround:makethedirectoryofº Ø readabletoandmoveyourprotectedfilestoa needsanafstokentoreadº Ø subdirectory 14./15. 12. 2000 AFS Meeting 2000 Garching 14

Summary it works ºhelp desk ØØÔ»» ÖÚ º ÖÞºØÙ¹ ÑÒ ØÞº» ºmanagement of print spool requests ºaccess to HOME directories ØØÔ»»ÐÓ ÒºØÙ¹ ÑÒ ØÞº» AFS Web Security Pack more efficient(token caching, PAG handling) Doesanybodyuseit? 14./15. 12. 2000 AFS Meeting 2000 Garching 15

»»ØÙ¹ ÑÒ ØÞº»ÓÔ Ò»½º¼» ٠л Ö»Ô Ñ AFSandtheWeb Sources modified mod auth pam modified AFS PAM»»ØÙ¹ ÑÒ ØÞº»ÓÔ Ò» ÇÒ»ÑÓ ÙØ Ô Ñ 14./15. 12. 2000 AFS Meeting 2000 Garching 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information