Actually, you can authenticate to cosign using a Kerberos ticket via
SPNEGO, if you have SPNEGO configured on the central weblogin server and
enabled as a factor. There is currently no UI to control this and it
breaks central logout. I set this up on a test weblogin server many
years ago, and it worked but was very, very rough.
X.509 is in much the same situation: you can authenticate to cosign
using a client-side X.509 certificate, but there is currently no UI to
manage this in cosign and it breaks central logout.
The central logout breaking is due to the fact that after logout, the
client will re-present the credentials to the central weblogin server on
the next access that requires authentication, and the authentication
will transparently succeed with no interaction from a user (assuming
single factor), automatically logging the user in again for as long as
the Kerberos ticket or X.509 certificate is valid.
I am not aware of any institution that is using either SPNEGO or X.509
with cosign. Either one would require explicit configuration, possible
UI enhancements, and I don't think that documentation exists for either one.
--
Mark Montague
markm...@umich.edu
On 2017-11-27 10:29, Brian Rahn wrote:
Cosign is firmly tied to using a login & password against a Kerberos
realm. You would not be able to use a keytab or existing Kerberos
ticket to authenticate. The cookies are just random strings used to
reference data stored on the Cosign servers. They do not contain data,
nor are they derived from data.
On Sat, Nov 25, 2017 at 7:20 PM, Chris Hecker <chec...@d6.com
<mailto:chec...@d6.com>> wrote:
I'm hoping the answer is 'no' for my current application, but is
there a way for a user with a valid krb5 account on the kdc and a
keytab file (or TGT) for that account to log into cosign without
knowing the password used to make the key? In other words, there's
no way to skip the plaintext password entry and pass a key or a
TGT directly to cosign, right?
Or, would it be possible to set the cookies correctly manually if
the user has the key and/or a TGT for the key? It doesn't seem
like it from looking at the code because then the corresponding
cookie file wouldn't exist in the /var/cosign/daemon directory,
but I wanted to make sure.
Thanks,
Chris
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
<mailto:Cosign-discuss@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
<https://lists.sourceforge.net/lists/listinfo/cosign-discuss>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss