Apache fails to validate client eventhough the cookie signature is correct (tested with openssl)
46 views
Skip to first unread message
d...@alepe.com
Mar 7, 2016, 2:28:24 AM3/7/16
to mod_auth_pubtkt users
I have 2 sites running on the same server (for testing): sso.example.com and client.example.com:
"oss" generates the authentication ticket:
and send a XHR request (from Javascript) to "client" in order to set the cookie.
This is an example of the cookie set:
uid%3Duser999%3Bcip%3D192.168.0.15%3Bvaliduntil%3D1462511500%3Bgraceperiod%3D1459919500%3Btokens%3Dssologin%3Budata%3D%3Bsig%3DLpJKwgLBFXWy2FxWro%2FxdanHq%2F%2F2Maa1dR5y5IQQ3n2%2B1V5wfdklFtumpQ9h9cI8jh3sNLUFmmkDxMr44kwWZ0i1qfXlndGzaAWPg%2BBtwXlsJAgwgPTQOfJX%2FXNWAntx%2BnnutRebwZBZH2MDsd5d6AdRPXaD8rhEHzXIn8yECkM%3D
I can confirm that the cookie is successfully created in "client". I also confirmed that the cookie content is correct using openssl to test the signature.
Everytime I try to open "client.example.com" I got redirected to "sso.example.com". There are no errors in apache and "TKTAuthDebug 3" only outputs the variables "TKT*" set in the <Location /> section.
How can I check why it is failing?
As a test, I set "sso.example.com/restricted/" directory and set the <Location /restricted> section with the exact values listed above, in order to test everything inside the same domain, and it works fine.
I don't know what is wrong. Any ideas?
Thanks in advance.
<VirtualHost *:443>
ServerName sso.example.com
DocumentRoot /var/www/sso
SSLEngine On
SSLCertificateFile /var/key/sso.crt
SSLCertificateKeyFile /var/key/sso.key
</VirtualHost><VirtualHost *:443>
ServerName client.example.com
DocumentRoot /var/www/client
SSLEngine On
SSLCertificateFile /var/key/client.example.com/cert.pem
SSLCertificateKeyFile /var/key/client.example.com/key.pem
<Location />
AuthType mod_auth_pubtkt
Order Allow,Deny
Allow from all
TKTAuthCookieName "sso_ticket"
TKTAuthToken "ssologin"
TKTAuthLoginURL https://sso.example.com/
TKTAuthPublicKey /var/key/public_key.pem
TKTAuthRequireSSL on
TKTAuthDebug 3
require valid-user
</Location>
</VirtualHost>
"oss" generates the authentication ticket:
<?php
require_once("pubtkt.inc");
$privkey = "/var/key/private_key.pem";
$keytype = "RSA";
$username = "user999";
$userdata = "";
$tokens = array("ssologin");
$timeout = 5184000;
$grace = 2592000;
$ticket = pubtkt_generate(
$privkey,
$keytype,
$username,
$_SERVER['REMOTE_ADDR'],
time() + $timeout,
$grace,
join(",",$tokens),
$userdata
);
?>and send a XHR request (from Javascript) to "client" in order to set the cookie.
<?php
header('Access-Control-Allow-Origin: https://oss.example.com');
if(isset($_GET["ticket"])) {
$tkt = base64_decode($_GET["ticket"]);
setcookie("sso_ticket", $tkt); //Cookie with low restrictions for testing purposes.
}
?>This is an example of the cookie set:
uid%3Duser999%3Bcip%3D192.168.0.15%3Bvaliduntil%3D1462511500%3Bgraceperiod%3D1459919500%3Btokens%3Dssologin%3Budata%3D%3Bsig%3DLpJKwgLBFXWy2FxWro%2FxdanHq%2F%2F2Maa1dR5y5IQQ3n2%2B1V5wfdklFtumpQ9h9cI8jh3sNLUFmmkDxMr44kwWZ0i1qfXlndGzaAWPg%2BBtwXlsJAgwgPTQOfJX%2FXNWAntx%2BnnutRebwZBZH2MDsd5d6AdRPXaD8rhEHzXIn8yECkM%3D
I can confirm that the cookie is successfully created in "client". I also confirmed that the cookie content is correct using openssl to test the signature.
Everytime I try to open "client.example.com" I got redirected to "sso.example.com". There are no errors in apache and "TKTAuthDebug 3" only outputs the variables "TKT*" set in the <Location /> section.
How can I check why it is failing?
As a test, I set "sso.example.com/restricted/" directory and set the <Location /restricted> section with the exact values listed above, in order to test everything inside the same domain, and it works fine.
I don't know what is wrong. Any ideas?
Thanks in advance.
d...@alepe.com
Mar 7, 2016, 4:04:57 AM3/7/16
to mod_auth_pubtkt users
Not sure exactly how it was fixed (maybe cache related)... but I noticed that there is a big difference on restricting access to a directory than to the whole site.
Restricting a directory is easier as the "cookie" setter code can be on the website root.
If you want to restrict the whole site, you need first to allow the URL that will set the cookie, or it won't work.
This is the setting that worked for me:
Restricting a directory is easier as the "cookie" setter code can be on the website root.
If you want to restrict the whole site, you need first to allow the URL that will set the cookie, or it won't work.
This is the setting that worked for me:
<VirtualHost *:443>
ServerName client.example.com
DocumentRoot /var/www/client
SSLEngine On
SSLCertificateFile /var/key/client.example.com/cert.pem
SSLCertificateKeyFile /var/key/client.example.com/key.pem
SetEnvIf Request_URI "^/sso_auth_cookie.php" granted=1
<Location "/">
AuthType mod_auth_pubtkt
Order Deny,Allow
Satisfy any
Deny from all
Allow from env=granted
TKTAuthCookieName "sso_ticket"
TKTAuthToken "ssologin"
TKTAuthLoginURL https://sso.example.com/
TKTAuthPublicKey /var/key/auth_pubtkt.pem
TKTAuthRequireSSL on
require valid-user
</Location>
</VirtualHost>
I hope it helps someone in the same situation.
Please note that "sso" and "client" are not the real host names and that the above settings were modified to facilitate the understanding of the problem.
Reply all
Reply to author
Forward
0 new messages