Nagios - LDAP/RSA authentication
Kevin Keane
subscription at kkeane.com
Sat Jan 24 14:11:11 CET 2009
Also, does your user database support Kerberos? If so, you could try to
use apache's mod_kerb and use a Kerberos ticket instead of the changing
RSA password for authentication. That solves the security problem I
mentioned earlier, as well as having to retype the password all the
time. You will need a Kerberos-enabled browser (Internet Explorer
supports it, I believe - not sure about any of the others). Also, it
will probably not work if there are too many firewalls around.
Mohammed Al-Kout wrote:
> Keven,
>
> Yes when nagios is doing nothing it sits exactly for 10 mins i managed
> to make it 30 mins by changing the LDAPCacheTTL parameter in
> httpd.conf but it only gave me time upto 30 mins then started giving
> authentication errors because it was checking against the cached
> password.
>
> we are using RSA through LDAP for the majority of our services to have
> a secure ad centralized user DB, we have a group of users with
> different permissions thats why the default user wouldn't work in our
> case.
>
> i was hoping to find the parameter that sets the 10min idle timeout
> for the browser/nagios/ldap combo
>
>
> Best Regards
> --
> Mohammed Al-Kout
>
>
>
>
>
> On Sat, Jan 24, 2009 at 14:53, Kevin Keane <subscription at kkeane.com
> <mailto:subscription at kkeane.com>> wrote:
>
> If the RSA password really changes every minute, your Web browser
> should ask for a new password every minute with the next HTTP
> request. If Nagios simply sits there and you don't do anything, I
> believe it refreshes every five to ten minutes. So that is when
> the browser would ask for the new password. If you are actually
> working with it and clicking on links, then it would probably ask
> for a password earlier.
>
> BTW, could you post this back to the mailing list rather than me
> personally? Other people may have great ideas on it, too, and this
> type of discussion should also be archived.
>
> What might help here is something along the lines of Kerberos, but
> I believe Apache does not support it, at least not out of the box.
>
> The other possibility is to have some kind of "front end" that
> handles authentication and then forwards the HTTP requests to
> Nagios. In Nagios, you could then use the default-user to allow
> access for anyone (you wouldn't be able to restrict access by
> group or so, though).
>
> Personally, I think that for Nagios purposes, you should ditch RSA
> and go back to a local password file for nagios. I suspect using
> RSA with Nagios actually reduces rather than increases the
> security. This is because an attacker could potentially see many
> different passwords, and use that to deduct information about the
> sequence of RSA keys and possibly in the end predict the next one.
> RSA is pretty strong overall, so this is not a huge risk, but
> something to keep in mind.
>
> Mohammed Al-Kout wrote:
>
> Keven,
>
> The rsa password changes every 1 min, the nagios session
> timeouts ( i.e requires re authentication ) every 10 mins,
> all i need is is there a way to change this value to stay
> longer than 10 mins ? like 2-3 hours for example.
>
> Best Regards
> --
> Mohammed Al-Kout
>
>
>
>
>
> On Sat, Jan 24, 2009 at 11:57, Kevin Keane
> <subscription at kkeane.com <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>>> wrote:
>
> Of course you wouldn't get it with the local passwd file,
> because
> that password never changes. It's not the LDAP Cache
> settings, but
> the fact that your RSA passwords themselves are changing
> frequently - presumably every ten minutes - as you said
> earlier.
>
> Mohammed Al-Kout wrote:
>
> Keven,
>
> we didn't get the reauthenticate window when we had the
> local
> passwd file once we enabled ldap authentication its
> repopping
> at exactly 10 mins it has something to do with the LDAP
> Cache
> settings.
>
> Best Regards
> --
> Mohammed Al-Kout
>
>
>
>
>
> On Fri, Jan 23, 2009 at 15:32, Kevin Keane
> <subscription at kkeane.com
> <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com <mailto:subscription at kkeane.com>>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>>>> wrote:
>
> There is no "idle timeout" when using HTTP
> authentication,
> because
> there are no sessions involved that would be idle.
>
> Each request stands on its own, and is separately
> authenticated.
>
> Mohammed Al-Kout wrote:
>
> What about the idle timeout ?
>
> Best Regards
> --
> Mohammed Al-Kout
>
>
>
>
>
> On Thu, Jan 22, 2009 at 09:49, Kevin Keane
> <subscription at kkeane.com
> <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com <mailto:subscription at kkeane.com>>>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>>>>> wrote:
>
> No. It has nothing to do with time. The popup
> will
> come up
> every
> time the RSA password changes. So the only
> solution
> is to
> reduce
> how often the password changes.
>
> Mohammed Al-Kout wrote:
>
> Keven,
>
> is it possible to give the browser certain
> parameters to
> increase this time ? ( we are using Firefox )
>
> Best Regards
> --
> Mohammed Al-Kout
>
>
>
>
>
> On Wed, Jan 21, 2009 at 17:19, Kevin Keane
> <subscription at kkeane.com
> <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>>>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>>>>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>>>
>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>
> <mailto:subscription at kkeane.com
> <mailto:subscription at kkeane.com>>>>>> wrote:
>
> There is no such thing as a "session" in
> Nagios. It
> simply
> uses plain
> HTTP authentication. That means that
> the user
> name and
> password is
> sent
> with every single HTTP request;
> request are
> not tied
> together the way
> you might be used to from online banking
> sites and
> the like.
>
> What you are observing could be due to a
> couple of
> different factors,
> but it is almost certainly neither LDAP,
> Apache nor
> Nagios,
> but rather
> the Web browser.
>
> - The most likely cause: you say that
> the RSA
> passwords change
> frequently. When the RSA password
> changes, the
> browser has
> no way of
> knowing that, and will continue to
> send the old
> password.
> This is
> rejected, and the browser then pops up the
> login dialog.
>
> - The browser may for some reason
> think that
> it is
> connecting to a
> different server, where the user name and
> password
> are no
> longer
> valid.
>
> - The browser may for some reason
> actually forget
> the user
> name and
> password.
>
> Mohammed Al-Kout wrote:
> > Warner,
> >
> > the session seems to be expiring after (
> 10-20) and
> nagios asks for
> > reauthentication, ( we are using RSA
> passwords
> that change
> frequently
> > so the LDAPCAche does not apply in
> our case
> ) are
> you using
> > mod_auth_ldap ?
> > what are the parameters you use in the
> httpd.conf for
> LDAP Cache
> settings
> >
> > Best Regards
> > --
> > Mohammed Al-Kout
> >
> >
> >
> >
> >
> > On Wed, Jan 21, 2009 at 16:22,
> Werner Flamme
> <werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>>>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>>>>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>
> <mailto:werner.flamme at ufz.de <mailto:werner.flamme at ufz.de>>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>>> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>
> <mailto:werner.flamme at ufz.de <mailto:werner.flamme at ufz.de>>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>>>>>
> > <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>
> <mailto:werner.flamme at ufz.de <mailto:werner.flamme at ufz.de>>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>>>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>
> <mailto:werner.flamme at ufz.de <mailto:werner.flamme at ufz.de>>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>>>> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>
> <mailto:werner.flamme at ufz.de <mailto:werner.flamme at ufz.de>>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>>>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>
> <mailto:werner.flamme at ufz.de <mailto:werner.flamme at ufz.de>>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>
> <mailto:werner.flamme at ufz.de
> <mailto:werner.flamme at ufz.de>>>>>>> wrote:
> >
> > Mohammed Al-Kout [21.01.2009 14:00]:
> > > Hello,
> > >
> > > i'm running Nagios 3.0.1 on
> Apache 2.0.52
> its been
> running
> on a
> > local
> > > userfile for sometime, recently i
> switched
> to LDAP
> > authentication with
> > > mod_auth_ldap its working
> fine, the
> problem
> is i'm
> getting the
> > > authentication popup every
> 10-20 mins, is
> there a
> way to stop
> > this or set a
> > > longer interval ? i'm not
> sure what
> is causing
> this popup to
> > reappear (
> > > LDAP , Apache or Nagios ) if
> anyone
> has an
> idea please
> lemme know
> >
> > Neither of them. We use LDAP
> auth for
> years, and
> there are
> no such
> > popups.
> >
> > Regards,
> > Werner
> >
>
>
>
> -- Kevin Keane
> Owner
> The NetTech
> Find the Uncommon: Expert Solutions for a Network
> You Never
> Have
> to Think About
>
> Office: 866-642-7116
> http://www.4nettech.com
>
> This e-mail and attachments, if any, may contain
> confidential
> and/or proprietary information. Please be advised
> that the
> unauthorized use or disclosure of the information is
> strictly
> prohibited. The information herein is intended only
> for use
> by the
> intended recipient(s) named above. If you have
> received this
> transmission in error, please notify the sender
> immediately and
> permanently delete the e-mail and any copies,
> printouts or
> attachments thereof.
>
>
>
>
> -- Kevin Keane
> Owner
> The NetTech
> Find the Uncommon: Expert Solutions for a Network You Never
> Have
> to Think About
>
> Office: 866-642-7116
> http://www.4nettech.com
>
> This e-mail and attachments, if any, may contain confidential
> and/or proprietary information. Please be advised that the
> unauthorized use or disclosure of the information is strictly
> prohibited. The information herein is intended only for use
> by the
> intended recipient(s) named above. If you have received this
> transmission in error, please notify the sender immediately and
> permanently delete the e-mail and any copies, printouts or
> attachments thereof.
>
>
>
>
> --
> Kevin Keane
> Owner
> The NetTech
> Find the Uncommon: Expert Solutions for a Network You Never Have
> to Think About
>
> Office: 866-642-7116
> http://www.4nettech.com
>
> This e-mail and attachments, if any, may contain confidential
> and/or proprietary information. Please be advised that the
> unauthorized use or disclosure of the information is strictly
> prohibited. The information herein is intended only for use by the
> intended recipient(s) named above. If you have received this
> transmission in error, please notify the sender immediately and
> permanently delete the e-mail and any copies, printouts or
> attachments thereof.
>
>
--
Kevin Keane
Owner
The NetTech
Find the Uncommon: Expert Solutions for a Network You Never Have to Think About
Office: 866-642-7116
http://www.4nettech.com
This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof.
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list