Authentication failures

66 views
Skip to first unread message

Tyler Gibbons

unread,
Dec 3, 2010, 3:51:22 PM12/3/10
to mod_auth_pubtkt users
I have sort of a fetish for TCL as a scripting language, so I've been
attempting to write an authentication script for my webserver using
that and mod_auth_pubtkt. It should be a quick and easy job,
especially with the quality of documentation on the main site, but I
have problems with getting the module to recognize my auth tickets. My
error log reports that mod_auth_pubtkt can't parse the cookies that
are set by my site after they've been returned from auth.tcl.

I'm stumped at this point. To make things simple I've been calling
openssl to do all the work in ticket generation in my TCL script, but
even if the command is crafted like the sample command-line generation
on https://neon1.net/mod_auth_pubtkt/install.html it fails to parse/
verify the ticket.

Here is the code segment responsible for generating the ticket:

set ssl_bin "/usr/bin/openssl"
#have openssl sign our fledgling cookie
set timeout [expr "[clock seconds] + 1209600"]
set tkt "uid=${user};validuntil=$timeout;cip=[env REMOTE_ADDR];tokens=
${tokens};udata=${userdata}"
set sig [exec echo "$tkt" | $ssl_bin dgst -sha1 -binary -sign /home/
www-data/.ssh/privtkt.pem | $ssl_bin enc -base64]
set cookie "$tkt;sig=$sig"

And then a sample error message (all are alike at this point):

[Fri Dec 03 12:44:27 2010] [warn] [client 210.124.56.213] TKT
valid_ticket: unparseable cookie ticket found ('uid%3Dkavec
%3Bvaliduntil%3D1292618657%3Bcip%3D210.124.56.213%3Btokens%3Dadmin
%3Budata%3DThis%20is%20Kavec%3Bsig
%3DR5zZTWYOkWppxOxWDfiG8ZJDWBshRWI5i0TwxLGI01B29TptqDZqiMTYST5rdBev
%0AjLTxH9ljJzIsAl%2BSeEqg4w5mv7zyQKuPLuuiAUbDyt4m83ezbU%2FM11YKDFLbZgFm
%0AbxVQJZ5bGv5bUp6Ln01V7OYgE%2Bw6nVE999NBtfZU6lk%3D')

Where
"uid=kavec;validuntil=1292618657;cip=210.124.56.213;tokens=admin;udata=This
is Kavec" is the string thrown into the maw of openssl to be digested.

The TCL exec line also is equivalent to the following:
echo
"uid=kavec;validuntil=1292618657;cip=210.124.56.213;tokens=admin;udata=This
is Kavec" | /usr/bin/openssl dgst -sha1 -binary -sign /home/www-
data/.ssh/privtkt.pem | /usr/bin/openssl enc -base64

It's driving me nuts; what do I need to do to make this work?

Manuel Kasper

unread,
Dec 4, 2010, 11:16:15 AM12/4/10
to mod_auth_p...@googlegroups.com
Hi Tyler,

On 03.12.2010, at 21:51, Tyler Gibbons wrote:

> And then a sample error message (all are alike at this point):
>
> [Fri Dec 03 12:44:27 2010] [warn] [client 210.124.56.213] TKT
> valid_ticket: unparseable cookie ticket found ('uid%3Dkavec
> %3Bvaliduntil%3D1292618657%3Bcip%3D210.124.56.213%3Btokens%3Dadmin
> %3Budata%3DThis%20is%20Kavec%3Bsig
> %3DR5zZTWYOkWppxOxWDfiG8ZJDWBshRWI5i0TwxLGI01B29TptqDZqiMTYST5rdBev
> %0AjLTxH9ljJzIsAl%2BSeEqg4w5mv7zyQKuPLuuiAUbDyt4m83ezbU%2FM11YKDFLbZgFm
> %0AbxVQJZ5bGv5bUp6Ln01V7OYgE%2Bw6nVE999NBtfZU6lk%3D')

Ummmm do you have mod_auth_tkt installed instead of (or in addition to) mod_auth_pubtkt? Because that error message isn't from mod_auth_pubtkt ;)

Also, if the URL encoding of the cookie data above is to be believed, there are stray line feeds (%0A) in the signature.

Regards,

Manuel

Tyler Gibbons

unread,
Dec 4, 2010, 3:35:33 PM12/4/10
to mod_auth_pubtkt users
I did have mod_auth_tkt installed, but went back and double checked to
make sure I removed it from httpd.conf. Also removed the module (I
don't need it ;). Removed line feeds generated by openssl -enc, but
still am getting the same error.

Here's an updated version:
[Sat Dec 04 12:33:55 2010] [warn] [client 210.124.56.213] TKT
valid_ticket: unparseable cookie ticket found ('uid%3Dkavec
%3Bvaliduntil%3D1292704425%3Bcip%3D210.124.56.213%3Btokens%3Dadmin
%3Budata%3Dtest%20data%3Bsig%3DmD1Plq9KqsL03Ugn6FpAs
%2FoxGOi6LuQeZ2AmrCw0O0u14qMX6guMcze0%2F2RLRiQLVTTd6s9nAn8llD
%2B5YaloVWq6FaU1MKTvsWV4LOwnGmJRPJ2DKY
%2BAlsc1Ve4qXF5ZODOfDuhKQQE31qk7i4PvHF8%2Fw1eETkuhtsvq5cdkopM%3D')

And here is the new call to openssl in case you're curious:
set sig [exec echo "$tkt" | $ssl_bin dgst -sha1 -binary -sign /home/
www-data/.ssh/privtkt.pem | $ssl_bin enc -base64 -A]

Curious that the message isn't mod_auth_pubtkt's, I'll see if I can
find another module that might be interfering.

Tyler Gibbons

unread,
Dec 4, 2010, 4:11:23 PM12/4/10
to mod_auth_pubtkt users
Apparently mod_auth_tkt was sticking around despite being commented
out in httpd.conf. Deleting the module and reloading apache completely
fixed that well enough, but was still having authentication problems.

Turns out it was still newlines in the command. As per the front page,
to generate a ticket via command-line you should:

echo "uid=foobar;validuntil=123456789;tokens=;udata=" \
| openssl dgst -dss1 -sign privkey.pem \
| openssl enc -base64

However, that's missing two flags and will get a bunch of extra
newlines in it. Instead, you need to:

echo -n "uid=foobar;validuntil=123456789;tokens=;udata=" \
| openssl dgst -dss1 -sign privkey.pem \
| openssl enc -base64 -A

Thanks for the help, Manuel!

Manuel Kasper

unread,
Dec 5, 2010, 5:44:51 AM12/5/10
to mod_auth_p...@googlegroups.com
On 04.12.2010, at 22:11, Tyler Gibbons wrote:

> However, that's missing two flags and will get a bunch of extra
> newlines in it. Instead, you need to:
>
> echo -n "uid=foobar;validuntil=123456789;tokens=;udata=" \
> | openssl dgst -dss1 -sign privkey.pem \
> | openssl enc -base64 -A

Thanks; I've updated the page accordingly. Glad to hear it works now!

- Manuel

Reply all
Reply to author
Forward
0 new messages