On 06/17/2014 09:24 PM, Simo Sorce wrote:
On Tue, 2014-06-17 at 23:14 +0000, Nordgren, Bryce L -FS wrote:
When thinking about gateways and what Ipsilon may do, I came across this thesis:


and source


His approach to unifying web and non-web technologies was to build
gateways for non-web services such that browser based clients could be
written without changing the server side.

I'm not sold on that approach. However, the source repository includes
a browser-based javascript implementation of the Kerberos protocol and
a python gateway to a KDC. Users can kinit from the browser the way
Kerberos intended (password does not go over the wire).

Is it possible to do a pure-javascript, all browser based kinit/spnego
so that users don't have to pop out to the command line to kinit? One
still would not have the ability to ssh into a console after doing an
in-browser kinit, but all the websites in the target domain should
recognize the credentials.

Worthwhile or dumb?
Where does the javascript come from ?
How do you trust it is not going to send your password somewhere ?
How do you trust another bug in the browser will not allow another "tab"
top read the memory of the browser including your password or TGT ?

There is a good reason crypto and keys on one side and javascript on the
other should not come in contact, IMO.


I have seen this project presented at the MIT Kerberos Consortium board of directors and it gave me goose bumps.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to