You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Kevin Konowalec <ke...@ualberta.ca> on 2005/03/07 22:28:49 UTC
[users@httpd] Authentication restriction
Is it possible to restrict AuthTypes based on specific criteria? Our
policy has changed such that we are no longer allowing the use of
Kerberos passwords via non SSL-enabled connections. So would it be
possible to only allow users connected via HTTPS to be able to
authenticate via kerberos (using mod_auth_kerb)?
Say, for example, a user has set up an htaccess authenticated directory
within their home space.
https;//www.example.com/~someuser/secure/
If the user chooses to use Kerberos authentication as the AuthType,
then anyone accessing the page from an HTTP connection should get a
custom error page saying something like:
The page you are attempting to retrieve is no longer accessible via
HTTP. The new URL is https;//www.example.com/~someuser/secure/ .
Please update your bookmarks.
It's not only user space that will be affected here. Any directory
using Kerberos as an authentication mechanism must only be accessible
via HTTPS and get that error page otherwise. Basic or Digest
authentication are still fair game either way (though if there was no
other way than to restrict them as well to HTTPS it wouldn't be a huge
issue)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication restriction
Posted by Joshua Slive <js...@gmail.com>.
On Mon, 7 Mar 2005 20:13:42 -0700, Kevin Konowalec
<ke...@ualberta.ca> wrote:
> Okay but in the non-SSL section how can you specify that AuthType
> Kerberos should produce a custom ErrorDocument but that AuthType Basic
> or Digest should not?
As far as I know, you can only specify one AuthType per context. So
you specify only the AuthType you want, and then use ErrorDocument 401
to give your additional info. Of course, the 401 error document will
also be seen by people simply using the wrong password, so you'll need
to give some context.
However it sounds like you may be using some custom auth modules which
do things differently. In that case, you'd need to consult whomever
gave you those modules.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication restriction
Posted by Kevin Konowalec <ke...@ualberta.ca>.
Okay but in the non-SSL section how can you specify that AuthType
Kerberos should produce a custom ErrorDocument but that AuthType Basic
or Digest should not?
Kevin
On Mar 7, 2005, at 8:02 PM, Joshua Slive wrote:
> On Mon, 7 Mar 2005 14:28:49 -0700, Kevin Konowalec
> <ke...@ualberta.ca> wrote:
>> Is it possible to restrict AuthTypes based on specific criteria? Our
>> policy has changed such that we are no longer allowing the use of
>> Kerberos passwords via non SSL-enabled connections. So would it be
>> possible to only allow users connected via HTTPS to be able to
>> authenticate via kerberos (using mod_auth_kerb)?
>
> Sure. Scope the access restrictions inside the <VirtualHost> section
> that applies to SSL requests. In the non-SSL virtual host section,
> either put more stringent requirements, or deny all access, and use an
> ErrorDocument to give a helpful error message.
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication restriction
Posted by Joshua Slive <js...@gmail.com>.
On Mon, 7 Mar 2005 14:28:49 -0700, Kevin Konowalec
<ke...@ualberta.ca> wrote:
> Is it possible to restrict AuthTypes based on specific criteria? Our
> policy has changed such that we are no longer allowing the use of
> Kerberos passwords via non SSL-enabled connections. So would it be
> possible to only allow users connected via HTTPS to be able to
> authenticate via kerberos (using mod_auth_kerb)?
Sure. Scope the access restrictions inside the <VirtualHost> section
that applies to SSL requests. In the non-SSL virtual host section,
either put more stringent requirements, or deny all access, and use an
ErrorDocument to give a helpful error message.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org