Re: Any security issue with using SPNEGOto perform single-sign-on?

[Saqib Ali <docbook.xml () gmail com>]

Hello Paul,

Thanks for the reply. I have been thinking quite a lot about this SSO topic.

You are correct, when it comes to SPNEGO based SSO, the user can not
really "log-off" from a web application other than by logging off from
the client workstation. On the other hand solutions like Siteminder,
which provide SSO using session cookie, don't have this problem. As
soon as the user exits out of the browser, he/she is logged off from
the application as well. They don't have to log-off from the computer.

However SPNEGO is a more holistic approach to SSO, which uses Kerberos
Tickets, instead of cookies. This is helps non-cookie aware
applications (like WebDAV clients) to participate in a SSO
environment.

--
In Peace,
Saqib Ali
http://tools.tldp.org/search.php <--- Search for Linux HOWTOs



On Wed, 23 Mar 2005 13:07:37 +0000, Paul Johnston <paul () westpoint ltd uk> wrote:
> Hi,
>
> In principle I would worry that there's a risk of phishing style attacks
> where users are lured to visit a fake site, which harvests their
> details. Now, I think this is mitigated, because credentials are only
> given to sites in the intranet zone, and the server name is included in
> the kerberos principal. But still, this is an attack angle I'd give some
> thought. For example, can an attacker who has harvested a single ticket
> then perform an offline password brute force attack?
>
> I agree, CSRF is a problem with any authentication scheme where the
> browser automatically attached the credentials. For now you'll have to
> rely on the application-layer workaround of having random tokens in
> forms. I've just been musing that browsers could provide this protection
> with a simple rule: for POST requests, where the originating form is a
> different (hostname, protocol) to the target, do not attach any
> credentials. Provided people followed the HTTP spec (i.e. only do
> actions on POST requests), this would provide decent protection and I
> don't think it would break much.
>
> A general worry I have is SSO is that there is no longer a logout
> function. It's considered good practice to provide a logout function, so
> a user can be reasonably sure their session really has finished and no
> further actions can occur. I guess the browser could do this - it would
> prompt the first time it sends credentials to a site, after that
> automatically send credentials without asking, until the user selects
> some kind of logout function. I don't think any browsers support this,
> but it could work.
>
> Regards,
>
> Paul
>
>
> Saqib Ali wrote:
>
> > I was wondering if anyone has encountered any security concern/issues
> > while implementing SPNEGO <
> > http://www.vintela.com/resources/topics/spnego/ >.  SPNEGO provides a
> > single-sign-on in a KERBEROS enabled environment. Basically it allows
> > web applications to automatically authenticate clients who have valid
> > Kerberos credentials.
> >
> > I am planning to install the mod_spnego module on a apache server,
> > that will enable the client to single-sign-on to our internal
> > application, if they are part of our AD.
> >
> > I possible concern is the increase of CSRF type of attacks, but that
> > is the case with any single-sign-on solution.
>
> --
> Paul Johnston, GSEC
> Internet Security Specialist
> Westpoint Limited
> Albion Wharf, 19 Albion Street,
> Manchester, M1 5LN
> England
> Tel: +44 (0)161 237 1028
> Fax: +44 (0)161 237 1031
> email: paul () westpoint ltd uk
> web: www.westpoint.ltd.uk


-- 
In Peace,
Saqib Ali
http://tools.tldp.org/search.php <--- Search for Linux HOWTOs