> Actually, you can authenticate to cosign using a Kerberos ticket via
SPNEGO, if you have SPNEGO
> configured on the central weblogin server and enabled as a factor. There
is currently no UI to control
> this and it breaks central logout. I set this up on a test weblogin
server many years ago, and it worked
> but was very, very rough.
The SPNEGO functionality is provided via mod_auth_kerb. If you protect the
Cosign CGI with an alternate authentication mechanism (that provides
REMOTE_USER), Cosign will use that for authentication rather the presenting
the login UI.
Liam
On Mon, Nov 27, 2017 at 11:19 AM, Toby Blake <t...@inf.ed.ac.uk> wrote:
> We do indeed still run this. It wa discussed on this list at the time...
> starting, I think, here:
>
> https://sourceforge.net/p/cosign/mailman/message/6217667/
>
> Cheers
> Toby
>
> > On 27 Nov 2017, at 16:18, Graeme Wood <graeme.w...@ed.ac.uk> wrote:
> >
> > Our School of Informatics had this implemented on their weblogin
> service, though I am not sure if they still do. I could ask them, if people
> are interested. It is something I had been toying with implementing on the
> main University of Edinburgh login service.
> >
> > Regards,
> > Graeme Wood
> >
> >> On 27 Nov 2017, at 16:13, Mark Montague <markm...@umich.edu> wrote:
> >>
> >> Actually, you can authenticate to cosign using a Kerberos ticket via
> SPNEGO, if you have SPNEGO configured on the central weblogin server and
> enabled as a factor. There is currently no UI to control this and it
> breaks central logout. I set this up on a test weblogin server many years
> ago, and it worked but was very, very rough.
> >>
> >> X.509 is in much the same situation: you can authenticate to cosign
> using a client-side X.509 certificate, but there is currently no UI to
> manage this in cosign and it breaks central logout.
> >>
> >> The central logout breaking is due to the fact that after logout, the
> client will re-present the credentials to the central weblogin server on
> the next access that requires authentication, and the authentication will
> transparently succeed with no interaction from a user (assuming single
> factor), automatically logging the user in again for as long as the
> Kerberos ticket or X.509 certificate is valid.
> >>
> >> I am not aware of any institution that is using either SPNEGO or X.509
> with cosign. Either one would require explicit configuration, possible UI
> enhancements, and I don't think that documentation exists for either one.
> >>
> >> --
> >> Mark Montague
> >>
> >> markm...@umich.edu
> >>
> >>
> >> On 2017-11-27 10:29, Brian Rahn wrote:
> >>> Cosign is firmly tied to using a login & password against a Kerberos
> realm. You would not be able to use a keytab or existing Kerberos ticket to
> authenticate. The cookies are just random strings used to reference data
> stored on the Cosign servers. They do not contain data, nor are they
> derived from data.
> >>>
> >>> On Sat, Nov 25, 2017 at 7:20 PM, Chris Hecker <chec...@d6.com> wrote:
> >>>
> >>> I'm hoping the answer is 'no' for my current application, but is there
> a way for a user with a valid krb5 account on the kdc and a keytab file (or
> TGT) for that account to log into cosign without knowing the password used
> to make the key? In other words, there's no way to skip the plaintext
> password entry and pass a key or a TGT directly to cosign, right?
> >>>
> >>> Or, would it be possible to set the cookies correctly manually if the
> user has the key and/or a TGT for the key? It doesn't seem like it from
> looking at the code because then the corresponding cookie file wouldn't
> exist in the /var/cosign/daemon directory, but I wanted to make sure.
> >>>
> >>> Thanks,
> >>> Chris
> >>>
> >>>
> >>>
> >>> ------------------------------------------------------------
> ------------------
> >>> Check out the vibrant tech community on one of the world's most
> >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> >>> _______________________________________________
> >>> Cosign-discuss mailing list
> >>> Cosign-discuss@lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
> >>>
> >>>
> >>>
> >>>
> >>> ------------------------------------------------------------
> ------------------
> >>> Check out the vibrant tech community on one of the world's most
> >>> engaging tech sites, Slashdot.org!
> >>> http://sdm.link/slashdot
> >>>
> >>>
> >>> _______________________________________________
> >>> Cosign-discuss mailing list
> >>>
> >>> Cosign-discuss@lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
> >>
> >>
> >> ------------------------------------------------------------
> ------------------
> >> Check out the vibrant tech community on one of the world's most
> >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
> _________________________________________
> >> Cosign-discuss mailing list
> >> Cosign-discuss@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
> >
> > --
> >
> > Graeme Wood, Enterprise Services, IT Infrastructure Division,
> > Information Services, The University of Edinburgh
> > Email: graeme.w...@ed.ac.uk Phone: +44 131 650 5003 Fax: +44 131 650
> 6552
> >
> > The University of Edinburgh is a charitable body, registered in
> > Scotland, with registration number SC005336.
> >
> >
> >
> >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Cosign-discuss mailing list
> > Cosign-discuss@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/cosign-discuss
> >
>
>
> --
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Cosign-discuss mailing list
> Cosign-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
