Our School of Informatics had this implemented on their weblogin service, though I am not sure if they still do. I could ask them, if people are interested. It is something I had been toying with implementing on the main University of Edinburgh login service.
Regards, Graeme Wood > On 27 Nov 2017, at 16:13, Mark Montague <markm...@umich.edu> wrote: > > Actually, you can authenticate to cosign using a Kerberos ticket via SPNEGO, > if you have SPNEGO configured on the central weblogin server and enabled as a > factor. There is currently no UI to control this and it breaks central > logout. I set this up on a test weblogin server many years ago, and it > worked but was very, very rough. > > X.509 is in much the same situation: you can authenticate to cosign using a > client-side X.509 certificate, but there is currently no UI to manage this in > cosign and it breaks central logout. > > The central logout breaking is due to the fact that after logout, the client > will re-present the credentials to the central weblogin server on the next > access that requires authentication, and the authentication will > transparently succeed with no interaction from a user (assuming single > factor), automatically logging the user in again for as long as the Kerberos > ticket or X.509 certificate is valid. > > I am not aware of any institution that is using either SPNEGO or X.509 with > cosign. Either one would require explicit configuration, possible UI > enhancements, and I don't think that documentation exists for either one. > > -- > Mark Montague > > markm...@umich.edu > > > On 2017-11-27 10:29, Brian Rahn wrote: >> Cosign is firmly tied to using a login & password against a Kerberos realm. >> You would not be able to use a keytab or existing Kerberos ticket to >> authenticate. The cookies are just random strings used to reference data >> stored on the Cosign servers. They do not contain data, nor are they derived >> from data. >> >> On Sat, Nov 25, 2017 at 7:20 PM, Chris Hecker <chec...@d6.com> wrote: >> >> I'm hoping the answer is 'no' for my current application, but is there a way >> for a user with a valid krb5 account on the kdc and a keytab file (or TGT) >> for that account to log into cosign without knowing the password used to >> make the key? In other words, there's no way to skip the plaintext password >> entry and pass a key or a TGT directly to cosign, right? >> >> Or, would it be possible to set the cookies correctly manually if the user >> has the key and/or a TGT for the key? It doesn't seem like it from looking >> at the code because then the corresponding cookie file wouldn't exist in the >> /var/cosign/daemon directory, but I wanted to make sure. >> >> Thanks, >> Chris >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Cosign-discuss mailing list >> Cosign-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/cosign-discuss >> >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! >> http://sdm.link/slashdot >> >> >> _______________________________________________ >> Cosign-discuss mailing list >> >> Cosign-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/cosign-discuss > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! > http://sdm.link/slashdot_______________________________________________ > Cosign-discuss mailing list > Cosign-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/cosign-discuss -- Graeme Wood, Enterprise Services, IT Infrastructure Division, Information Services, The University of Edinburgh Email: graeme.w...@ed.ac.uk Phone: +44 131 650 5003 Fax: +44 131 650 6552 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss