[Freeipa-users] Ipsilon and WebAthena
When thinking about gateways and what Ipsilon may do, I came across this thesis: https://davidben.net/thesis.pdf and source https://github.com/davidben/webathena His approach to unifying web and non-web technologies was to build gateways for non-web services such that browser based clients could be written without changing the server side. I'm not sold on that approach. However, the source repository includes a browser-based javascript implementation of the Kerberos protocol and a python gateway to a KDC. Users can kinit from the browser the way Kerberos intended (password does not go over the wire). Is it possible to do a pure-javascript, all browser based kinit/spnego so that users don't have to pop out to the command line to kinit? One still would not have the ability to ssh into a console after doing an in-browser kinit, but all the websites in the target domain should recognize the credentials. Worthwhile or dumb? Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Ipsilon and WebAthena
On Tue, 2014-06-17 at 23:14 +, Nordgren, Bryce L -FS wrote: When thinking about gateways and what Ipsilon may do, I came across this thesis: https://davidben.net/thesis.pdf and source https://github.com/davidben/webathena His approach to unifying web and non-web technologies was to build gateways for non-web services such that browser based clients could be written without changing the server side. I'm not sold on that approach. However, the source repository includes a browser-based javascript implementation of the Kerberos protocol and a python gateway to a KDC. Users can kinit from the browser the way Kerberos intended (password does not go over the wire). Is it possible to do a pure-javascript, all browser based kinit/spnego so that users don't have to pop out to the command line to kinit? One still would not have the ability to ssh into a console after doing an in-browser kinit, but all the websites in the target domain should recognize the credentials. Worthwhile or dumb? Where does the javascript come from ? How do you trust it is not going to send your password somewhere ? How do you trust another bug in the browser will not allow another tab top read the memory of the browser including your password or TGT ? There is a good reason crypto and keys on one side and javascript on the other should not come in contact, IMO. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users