I have CoSign and MIT Kerberos set up and working the way I want for users, but I'd like krb5 services to be able to get at some CoSign protected pages (like for fetching a protected RSS feed, etc.).
I've read a bit about this, and it seems like there are a few approaches: 1. Login to CoSign by pretending you're a browser, accepting cookies, and passing a password as a POST. This cosign-discuss thread describes how to do this: http://is.gd/BInkqE The problem with this for services is twofold: First, obviously you're storing and sending a plain old password, even if it's across SSL. Second, there is no password for krb5 services, it's already been salted and hashed to a key and is stored in a keytab, or was -randkey to start with. So, it looks like the best way to make this work is to add a "key" parameter to CoSign and send the service's keyblock, base64'd probably? That seems better than giving the services regular passwords and then managing and storing those, although neither is great. 2. Give the services long term x.509 certificates, and make sure my cert revocation list system works in case there's a problem. 3. Set up and use kx509 so the services can get short term x.509 certificates. This seems like the best one, but...is the kx509 project still being developed? The public source code hasn't been touched since 2005. This post talks about being wary of its code quality (at least, KCT's quality): http://orthrus.blogspot.com/2007/10/kx509-kerberos-and-cosign.html This fermilab post talks about modifying and fixing KCA, but I don't see any released code: http://security.fnal.gov/pki/newkcafaq.html Is anybody using kx509, or is it a dead project? 4. Write a custom kerberized proxy for just the pages I need, services make normal krb5 requests to that, and it runs on the webserver. Yuck. Thanks, Chris ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
