Nagios - LDAP/RSA authentication
Mohammed Al-Kout
mjkout at gmail.com
Sat Jan 24 13:03:07 CET 2009
Keven,
Yes when nagios is doing nothing it sits exactly for 10 mins i managed to
make it 30 mins by changing the LDAPCacheTTL parameter in httpd.conf but it
only gave me time upto 30 mins then started giving authentication errors
because it was checking against the cached password.
we are using RSA through LDAP for the majority of our services to have a
secure ad centralized user DB, we have a group of users with different
permissions thats why the default user wouldn't work in our case.
i was hoping to find the parameter that sets the 10min idle timeout for the
browser/nagios/ldap combo
Best Regards
--
Mohammed Al-Kout
On Sat, Jan 24, 2009 at 14:53, Kevin Keane <subscription at kkeane.com> wrote:
> If the RSA password really changes every minute, your Web browser should
> ask for a new password every minute with the next HTTP request. If Nagios
> simply sits there and you don't do anything, I believe it refreshes every
> five to ten minutes. So that is when the browser would ask for the new
> password. If you are actually working with it and clicking on links, then it
> would probably ask for a password earlier.
>
> BTW, could you post this back to the mailing list rather than me
> personally? Other people may have great ideas on it, too, and this type of
> discussion should also be archived.
>
> What might help here is something along the lines of Kerberos, but I
> believe Apache does not support it, at least not out of the box.
>
> The other possibility is to have some kind of "front end" that handles
> authentication and then forwards the HTTP requests to Nagios. In Nagios, you
> could then use the default-user to allow access for anyone (you wouldn't be
> able to restrict access by group or so, though).
>
> Personally, I think that for Nagios purposes, you should ditch RSA and go
> back to a local password file for nagios. I suspect using RSA with Nagios
> actually reduces rather than increases the security. This is because an
> attacker could potentially see many different passwords, and use that to
> deduct information about the sequence of RSA keys and possibly in the end
> predict the next one. RSA is pretty strong overall, so this is not a huge
> risk, but something to keep in mind.
>
> Mohammed Al-Kout wrote:
>
>> Keven,
>>
>> The rsa password changes every 1 min, the nagios session timeouts ( i.e
>> requires re authentication ) every 10 mins, all i need is is there a way to
>> change this value to stay longer than 10 mins ? like 2-3 hours for example.
>>
>> Best Regards
>> --
>> Mohammed Al-Kout
>>
>>
>>
>>
>>
>> On Sat, Jan 24, 2009 at 11:57, Kevin Keane <subscription at kkeane.com<mailto:
>> subscription at kkeane.com>> wrote:
>>
>> Of course you wouldn't get it with the local passwd file, because
>> that password never changes. It's not the LDAP Cache settings, but
>> the fact that your RSA passwords themselves are changing
>> frequently - presumably every ten minutes - as you said earlier.
>>
>> Mohammed Al-Kout wrote:
>>
>> Keven,
>>
>> we didn't get the reauthenticate window when we had the local
>> passwd file once we enabled ldap authentication its repopping
>> at exactly 10 mins it has something to do with the LDAP Cache
>> settings.
>>
>> Best Regards
>> --
>> Mohammed Al-Kout
>>
>>
>>
>>
>>
>> On Fri, Jan 23, 2009 at 15:32, Kevin Keane
>> <subscription at kkeane.com <mailto:subscription at kkeane.com>
>> <mailto:subscription at kkeane.com
>> <mailto:subscription at kkeane.com>>> wrote:
>>
>> There is no "idle timeout" when using HTTP authentication,
>> because
>> there are no sessions involved that would be idle.
>>
>> Each request stands on its own, and is separately
>> authenticated.
>>
>> Mohammed Al-Kout wrote:
>>
>> What about the idle timeout ?
>>
>> Best Regards
>> --
>> Mohammed Al-Kout
>>
>>
>>
>>
>>
>> On Thu, Jan 22, 2009 at 09:49, Kevin Keane
>> <subscription at kkeane.com
>> <mailto:subscription at kkeane.com>
>> <mailto:subscription at kkeane.com <mailto:subscription at kkeane.com>>
>> <mailto:subscription at kkeane.com
>> <mailto:subscription at kkeane.com>
>> <mailto:subscription at kkeane.com
>> <mailto:subscription at kkeane.com>>>> wrote:
>>
>> No. It has nothing to do with time. The popup will
>> come up
>> every
>> time the RSA password changes. So the only solution
>> is to
>> reduce
>> how often the password changes.
>>
>> Mohammed Al-Kout wrote:
>>
>> Keven,
>>
>> is it possible to give the browser certain
>> parameters to
>> increase this time ? ( we are using Firefox )
>>
>> Best Regards
>> --
>> Mohammed Al-Kout
>>
>>
>>
>>
>>
>> On Wed, Jan 21, 2009 at 17:19, Kevin Keane
>> <subscription at kkeane.com
>> <mailto:subscription at kkeane.com>
>> <mailto:subscription at kkeane.com
>> <mailto:subscription at kkeane.com>>
>> <mailto:subscription at kkeane.com
>> <mailto:subscription at kkeane.com>
>> <mailto:subscription at kkeane.com <mailto:subscription at kkeane.com>>>
>> <mailto:subscription at kkeane.com
>> <mailto:subscription at kkeane.com>
>> <mailto:subscription at kkeane.com
>> <mailto:subscription at kkeane.com>>
>>
>> <mailto:subscription at kkeane.com
>> <mailto:subscription at kkeane.com>
>> <mailto:subscription at kkeane.com
>> <mailto:subscription at kkeane.com>>>>> wrote:
>>
>> There is no such thing as a "session" in
>> Nagios. It
>> simply
>> uses plain
>> HTTP authentication. That means that the user
>> name and
>> password is
>> sent
>> with every single HTTP request; request are
>> not tied
>> together the way
>> you might be used to from online banking
>> sites and
>> the like.
>>
>> What you are observing could be due to a
>> couple of
>> different factors,
>> but it is almost certainly neither LDAP,
>> Apache nor
>> Nagios,
>> but rather
>> the Web browser.
>>
>> - The most likely cause: you say that the RSA
>> passwords change
>> frequently. When the RSA password changes, the
>> browser has
>> no way of
>> knowing that, and will continue to send the old
>> password.
>> This is
>> rejected, and the browser then pops up the
>> login dialog.
>>
>> - The browser may for some reason think that
>> it is
>> connecting to a
>> different server, where the user name and
>> password
>> are no
>> longer
>> valid.
>>
>> - The browser may for some reason actually forget
>> the user
>> name and
>> password.
>>
>> Mohammed Al-Kout wrote:
>> > Warner,
>> >
>> > the session seems to be expiring after (
>> 10-20) and
>> nagios asks for
>> > reauthentication, ( we are using RSA passwords
>> that change
>> frequently
>> > so the LDAPCAche does not apply in our case
>> ) are
>> you using
>> > mod_auth_ldap ?
>> > what are the parameters you use in the
>> httpd.conf for
>> LDAP Cache
>> settings
>> >
>> > Best Regards
>> > --
>> > Mohammed Al-Kout
>> >
>> >
>> >
>> >
>> >
>> > On Wed, Jan 21, 2009 at 16:22, Werner Flamme
>> <werner.flamme at ufz.de
>> <mailto:werner.flamme at ufz.de> <mailto:werner.flamme at ufz.de
>> <mailto:werner.flamme at ufz.de>>
>> <mailto:werner.flamme at ufz.de
>> <mailto:werner.flamme at ufz.de> <mailto:werner.flamme at ufz.de
>> <mailto:werner.flamme at ufz.de>>>
>> <mailto:werner.flamme at ufz.de
>> <mailto:werner.flamme at ufz.de>
>> <mailto:werner.flamme at ufz.de
>> <mailto:werner.flamme at ufz.de>> <mailto:werner.flamme at ufz.de
>> <mailto:werner.flamme at ufz.de>
>> <mailto:werner.flamme at ufz.de
>> <mailto:werner.flamme at ufz.de>>>>
>> > <mailto:werner.flamme at ufz.de
>> <mailto:werner.flamme at ufz.de>
>> <mailto:werner.flamme at ufz.de <mailto:werner.flamme at ufz.de>>
>> <mailto:werner.flamme at ufz.de
>> <mailto:werner.flamme at ufz.de>
>> <mailto:werner.flamme at ufz.de
>> <mailto:werner.flamme at ufz.de>>> <mailto:werner.flamme at ufz.de
>> <mailto:werner.flamme at ufz.de>
>> <mailto:werner.flamme at ufz.de <mailto:werner.flamme at ufz.de>>
>> <mailto:werner.flamme at ufz.de
>> <mailto:werner.flamme at ufz.de>
>> <mailto:werner.flamme at ufz.de
>> <mailto:werner.flamme at ufz.de>>>>>> wrote:
>> >
>> > Mohammed Al-Kout [21.01.2009 14:00]:
>> > > Hello,
>> > >
>> > > i'm running Nagios 3.0.1 on Apache 2.0.52
>> its been
>> running
>> on a
>> > local
>> > > userfile for sometime, recently i
>> switched
>> to LDAP
>> > authentication with
>> > > mod_auth_ldap its working fine, the
>> problem
>> is i'm
>> getting the
>> > > authentication popup every 10-20 mins, is
>> there a
>> way to stop
>> > this or set a
>> > > longer interval ? i'm not sure what
>> is causing
>> this popup to
>> > reappear (
>> > > LDAP , Apache or Nagios ) if anyone
>> has an
>> idea please
>> lemme know
>> >
>> > Neither of them. We use LDAP auth for
>> years, and
>> there are
>> no such
>> > popups.
>> >
>> > Regards,
>> > Werner
>> >
>>
>>
>>
>> -- Kevin Keane
>> Owner
>> The NetTech
>> Find the Uncommon: Expert Solutions for a Network You Never
>> Have
>> to Think About
>>
>> Office: 866-642-7116
>> http://www.4nettech.com
>>
>> This e-mail and attachments, if any, may contain confidential
>> and/or proprietary information. Please be advised that the
>> unauthorized use or disclosure of the information is strictly
>> prohibited. The information herein is intended only for use
>> by the
>> intended recipient(s) named above. If you have received this
>> transmission in error, please notify the sender immediately and
>> permanently delete the e-mail and any copies, printouts or
>> attachments thereof.
>>
>>
>>
>>
>> -- Kevin Keane
>> Owner
>> The NetTech
>> Find the Uncommon: Expert Solutions for a Network You Never Have
>> to Think About
>>
>> Office: 866-642-7116
>> http://www.4nettech.com
>>
>> This e-mail and attachments, if any, may contain confidential
>> and/or proprietary information. Please be advised that the
>> unauthorized use or disclosure of the information is strictly
>> prohibited. The information herein is intended only for use by the
>> intended recipient(s) named above. If you have received this
>> transmission in error, please notify the sender immediately and
>> permanently delete the e-mail and any copies, printouts or
>> attachments thereof.
>>
>>
>>
>
> --
> Kevin Keane
> Owner
> The NetTech
> Find the Uncommon: Expert Solutions for a Network You Never Have to Think
> About
>
> Office: 866-642-7116
> http://www.4nettech.com
>
> This e-mail and attachments, if any, may contain confidential and/or
> proprietary information. Please be advised that the unauthorized use or
> disclosure of the information is strictly prohibited. The information herein
> is intended only for use by the intended recipient(s) named above. If you
> have received this transmission in error, please notify the sender
> immediately and permanently delete the e-mail and any copies, printouts or
> attachments thereof.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20090124/2dcf88f6/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list