Basic auth expires after 10 minutes

[alehaa]

Hi everyone,

I'm using this module to authenticate the users with their AD credentials via kerberos, basic auth and a form login (which authenticates the user via PHP + basic auth). The GssapiUseSessions option is set to On, so the authentication process needs to be done only once. However, if I use basic auth for the first login and the session cookie for the following requests, the user can't be authenticated anymore after exactly 10 minutes.

According to the source code, the user should be authenticated indefinite and therefore logged in as long as the session is alive. The default krb5.conf should obtain tickets for one day. However, the log states

NO AUTH DATA Client did not send any authentication headers

and the request is terminated with an error 401.

So I guess the ticket is only valid for 10 minutes instead of a day. Is there any chance to increase this time limit? I couldn't find any hint in the source code, so I would appreciate some help.

Thanks ;)

[alehaa]

It seems that the user is authenticated indefinite, which results in a tgt with a lifetime of 10 hours. However, if basic auth is used, mag_context_loop() will be called with a requested lifetime of 5 minutes instead of indefinite ...

Is there any reason for this limit? Otherwise I would suggest setting it to GSS_C_INDEFINITE, so it is bound to the max. ticket lifetime configured in /etc/krb5.conf.

[simo5]

The reason why we use a short time-frame is that browsers normally store basic auth credentials and will resend them at each call.
We skip re-authenticating on each request only for performance reason, but we do not want to acquire long term credentials, we just want to reduce the frequency of required re-authentication to once every five minutes.
I would be willing to accept a patch that adds an option to control that though, if there are configurations where that really makes sense.

[alehaa]

I could try to provide a patch.

The configuration this is used for is a HTML login form. Its backend issues a request via basic auth and sends the generated cookie back to the user. However, if the internal session expires after 10 minutes, the user would be redirected to the login page every 10 minutes, as it doesn't know about the basic authentication.

[simo5]

On Mon, 2019-11-18 at 06:22 -0800, Alexander Haase wrote: I could try to provide a patch. The configuration this is used for is a HTML login form. Its backend issues a request via basic auth and sends the generated cookie back to the user. However, if the internal session expires after 10 minutes, the user would be redirected to the login page every 10 minutes, as it doesn't know about the basic authentication.

Understood, let me know if you have difficulties providing a patch, I think the use case makes sense and is worth allowing. Simo.

…

-- Simo Sorce RHEL Crypto Team Red Hat, Inc