Oh, wait, negotiate is built into CoSign, sorry, I misread that part. Hmm, I will have to play around with this.
Chris On 2011/07/31 13:44, Chris Hecker wrote: > >> 5. Provide a Kerberos protected version of the cosign login CGI. This >> allows applications to authenticate using NegotiateAuth, get cosign >> cookies, and then continue onwards as a cosign'd service. We also >> provide this to users who are using supported browsers (mainly >> Firefox) on managed machines, so that we avoid the Web-Double-Signon >> problem. > > Did you put your patches for this up? I see your mod_auth_krb one, but > nothing for CoSign? > > So this is transparent to browser users? In other words, I want my > browser people to just do the cosign login that talks to krb5, but I > want to talk to the cosign pages with negotiateauth from code. > > Thanks, > Chris > > > > On 2011/07/31 05:28, Simon Wilkinson wrote: >> >> On 31 Jul 2011, at 06:07, Chris Hecker wrote: >>> 3. Set up and use kx509 so the services can get short term x.509 >>> certificates. This seems like the best one, but...is the kx509 project >>> still being developed? The public source code hasn't been touched since >>> 2005. This post talks about being wary of its code quality (at least, >>> KCT's quality): >>> >>> http://orthrus.blogspot.com/2007/10/kx509-kerberos-and-cosign.html >> >> I wrote that. KCT is horrible. kx509 is nicer. We are still running >> kx509 locally, but it's increasingly a service in search of >> applications. At the moment all we use it for is getting client >> certificates for OpenVPN. Cosign has completely supplanted it for web >> authentication at most sites that I am aware of. kx509 does still have >> some traction - there is native support in Heimdal, for example, and >> Henry Hotz is working on specifying an improved version of the >> protocol. It's still probably not the best solution for this problem, >> though. >> >>> 4. Write a custom kerberized proxy for just the pages I need, services >>> make normal krb5 requests to that, and it runs on the webserver. Yuck. >> >> Yuck indeed. What we do is ... >> >> 5. Provide a Kerberos protected version of the cosign login CGI. This >> allows applications to authenticate using NegotiateAuth, get cosign >> cookies, and then continue onwards as a cosign'd service. We also >> provide this to users who are using supported browsers (mainly >> Firefox) on managed machines, so that we avoid the Web-Double-Signon >> problem. >> >> I blogged about this in 2007 - >> http://orthrus.blogspot.com/2007/10/kx509-kerberos-and-cosign.html >> >> Hope that helps! >> >> Cheers, >> >> Simon. >> >> ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
