On Tue, 2014-06-17 at 23:14 +0000, Nordgren, Bryce L -FS wrote:
> When thinking about gateways and what Ipsilon may do, I came across this 
> thesis:
> https://davidben.net/thesis.pdf
> and source
> https://github.com/davidben/webathena
> His approach to unifying web and non-web technologies was to build
> gateways for non-web services such that browser based clients could be
> written without changing the server side.
> I'm not sold on that approach. However, the source repository includes
> a browser-based javascript implementation of the Kerberos protocol and
> a python gateway to a KDC. Users can kinit from the browser the way
> Kerberos intended (password does not go over the wire).
> Is it possible to do a pure-javascript, all browser based kinit/spnego
> so that users don't have to pop out to the command line to kinit? One
> still would not have the ability to ssh into a console after doing an
> in-browser kinit, but all the websites in the target domain should
> recognize the credentials.
> Worthwhile or dumb?

Where does the javascript come from ?
How do you trust it is not going to send your password somewhere ?
How do you trust another bug in the browser will not allow another "tab"
top read the memory of the browser including your password or TGT ?

There is a good reason crypto and keys on one side and javascript on the
other should not come in contact, IMO.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to