On 06/17/2014 09:24 PM, Simo Sorce wrote:
On Tue, 2014-06-17 at 23:14 +0000, Nordgren, Bryce L -FS wrote:
When thinking about gateways and what Ipsilon may do, I came across this thesis:
https://davidben.net/thesis.pdf
and source
https://github.com/davidben/webathena
His approach to unifying web and non-web technologies was to build
gateways for non-web services such that browser based clients could be
written without changing the server side.
I'm not sold on that approach. However, the source repository includes
a browser-based javascript implementation of the Kerberos protocol and
a python gateway to a KDC. Users can kinit from the browser the way
Kerberos intended (password does not go over the wire).
Is it possible to do a pure-javascript, all browser based kinit/spnego
so that users don't have to pop out to the command line to kinit? One
still would not have the ability to ssh into a console after doing an
in-browser kinit, but all the websites in the target domain should
recognize the credentials.
Worthwhile or dumb?
Where does the javascript come from ?
How do you trust it is not going to send your password somewhere ?
How do you trust another bug in the browser will not allow another "tab"
top read the memory of the browser including your password or TGT ?
There is a good reason crypto and keys on one side and javascript on the
other should not come in contact, IMO.
Simo.
I have seen this project presented at the MIT Kerberos Consortium board
of directors and it gave me goose bumps.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project