We do indeed still run this. It wa discussed on this list at the time... starting, I think, here:
https://sourceforge.net/p/cosign/mailman/message/6217667/ Cheers Toby > On 27 Nov 2017, at 16:18, Graeme Wood <graeme.w...@ed.ac.uk> wrote: > > Our School of Informatics had this implemented on their weblogin service, > though I am not sure if they still do. I could ask them, if people are > interested. It is something I had been toying with implementing on the main > University of Edinburgh login service. > > Regards, > Graeme Wood > >> On 27 Nov 2017, at 16:13, Mark Montague <markm...@umich.edu> wrote: >> >> Actually, you can authenticate to cosign using a Kerberos ticket via SPNEGO, >> if you have SPNEGO configured on the central weblogin server and enabled as >> a factor. There is currently no UI to control this and it breaks central >> logout. I set this up on a test weblogin server many years ago, and it >> worked but was very, very rough. >> >> X.509 is in much the same situation: you can authenticate to cosign using a >> client-side X.509 certificate, but there is currently no UI to manage this >> in cosign and it breaks central logout. >> >> The central logout breaking is due to the fact that after logout, the client >> will re-present the credentials to the central weblogin server on the next >> access that requires authentication, and the authentication will >> transparently succeed with no interaction from a user (assuming single >> factor), automatically logging the user in again for as long as the Kerberos >> ticket or X.509 certificate is valid. >> >> I am not aware of any institution that is using either SPNEGO or X.509 with >> cosign. Either one would require explicit configuration, possible UI >> enhancements, and I don't think that documentation exists for either one. >> >> -- >> Mark Montague >> >> markm...@umich.edu >> >> >> On 2017-11-27 10:29, Brian Rahn wrote: >>> Cosign is firmly tied to using a login & password against a Kerberos realm. >>> You would not be able to use a keytab or existing Kerberos ticket to >>> authenticate. The cookies are just random strings used to reference data >>> stored on the Cosign servers. They do not contain data, nor are they >>> derived from data. >>> >>> On Sat, Nov 25, 2017 at 7:20 PM, Chris Hecker <chec...@d6.com> wrote: >>> >>> I'm hoping the answer is 'no' for my current application, but is there a >>> way for a user with a valid krb5 account on the kdc and a keytab file (or >>> TGT) for that account to log into cosign without knowing the password used >>> to make the key? In other words, there's no way to skip the plaintext >>> password entry and pass a key or a TGT directly to cosign, right? >>> >>> Or, would it be possible to set the cookies correctly manually if the user >>> has the key and/or a TGT for the key? It doesn't seem like it from looking >>> at the code because then the corresponding cookie file wouldn't exist in >>> the /var/cosign/daemon directory, but I wanted to make sure. >>> >>> Thanks, >>> Chris >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Cosign-discuss mailing list >>> Cosign-discuss@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/cosign-discuss >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! >>> http://sdm.link/slashdot >>> >>> >>> _______________________________________________ >>> Cosign-discuss mailing list >>> >>> Cosign-discuss@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/cosign-discuss >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! >> http://sdm.link/slashdot_______________________________________________ >> Cosign-discuss mailing list >> Cosign-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/cosign-discuss > > -- > > Graeme Wood, Enterprise Services, IT Infrastructure Division, > Information Services, The University of Edinburgh > Email: graeme.w...@ed.ac.uk Phone: +44 131 650 5003 Fax: +44 131 650 6552 > > The University of Edinburgh is a charitable body, registered in > Scotland, with registration number SC005336. > > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Cosign-discuss mailing list > Cosign-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/cosign-discuss > -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
