On Feb 25, 2009, at 3:56 PM, Joshua West wrote: > Hey all, > > So we think we may have stumbled upon an issue with 2nd factor > authentication. Either that, or our config (or understanding) is > incorrect. > > We currently use Cosign to authenticate a la Kerberos to our AD. > However, we have accounts in AD that we do not want to be able to > login, > so we've created a 2nd factor authentication script to check a second > database. Basically, you have to authenticate to AD -- AND be on that > second list. > > Configuration is as follows in /etc/cosign.conf: > > factor /var/cosign/scripts/cosign-secondcheck -2 login > > At first glance, everything works as expected. > > If you login using a valid username/password, with that username also > existing in the 2nd database checked via the factor script, you're > all set. > > If you login using a valid username/password, but that username *DOES > NOT* exist in the 2nd database checked via the factor script, the > script > does indeed return 1 with an error message; that error message is > appropriately displayed on our login page, which acts as if you > haven't > logged in correctly. > > *HOWEVER* > > A cosign cookie for that user is still placed in /var/cosign/daemon/. > As a result, our services protected by Cosign will still let that user > in, if they revisit the Cosign protected page again directly, > because it > believes they have correctly authenticated. > > Is this a bug in Cosign? Or are we doing something wrong? For > example, > do we need to have all of our filters on each server utilizing Cosign > specify that we require this 2nd factor as well as the first? Or is > our > understanding of 2nd factor authentication w/ regard to Cosign way > off?
Are you specifying CosignRequireFactor in the Apache (or IIS or Java) configuration for the web service you're trying to protect? If not, mod_cosign will let them in. ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
