Hello again. So I have a crude setup, mostly taken from the copy/paste HOWTO on the wiki.
If I supply my username (without realm) and my password I can login using Heimdal Kerberos backend. There are however a few issues I've seen. When I attempt login with a username without an @ character, I can see it trying to authenticate with my Heimdal ACL. If the username and password doesn't match a valid user however, the CGI won't just quit with some error, but will try over and over and over again relentlessly, like a bee trying to get out through a window. There might be a timeout for how long the cgi script can execute, I haven't waited that long. In any case, this could be a serious target for DoS. I thought it might have been related to some difference between Heimdal and MIT Kerberos, but I see a similar behaviour from the mysql authentication. When I enter a username with an @ character I believe it defaults to mysql authentication. I don't have any mysql connections configured for cosign, so it will fail. It fails with a message in Apache's error log like "Unknown authentication type 'mysql'". However, just like the Kerberos failed login, it doesn't seem to care that the login attempt was unsuccessful. So the login cgi will flood Apache's error log with that message. At least it's not silent like the Kerberos flood. The result for the user is the same. The browser has to wait for any response from the server, and it might look like the server is down temporarily for the user. I'm using CoSign version 2.1.0rc1. /Tobias ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
