Re: [Freeipa-users] unable to logout of IPA
On 09/08/2012 02:05 AM, Dmitri Pal wrote: On 07/27/2012 10:30 AM, Petr Spacek wrote: On 07/27/2012 03:28 PM, John Dennis wrote: On 07/27/2012 02:06 AM, Dan Scott wrote: Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for 'sessionstore' and read a little before and after. Are session cookies relevant for kerberos authentication? It's only tangentially relevant. IPA does use session cookies. IPA logout destroys the session on the server making the session cookie stored in the browser invalid. However, SSO (Single Sign-On) continues to work as it's supposed to. As long as you have valid credentials in your kerberos cache you'll be automatically logged in (albeit with a brand new session and session cookie). All this is by design. You can logout of IPA which destroys your session, but unless you also destroy your credentials the automatic SSO process will be applied the next time you visit the web UI. Would it be possible to add "login as another user" functionality? I mean "destroy session && ignore any Kerberos tickets && start form-based auth"? IMHO it could be handy, at least for demonstration purposes. Please log a ticket. https://fedorahosted.org/freeipa/ticket/3064 Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
On 07/27/2012 10:30 AM, Petr Spacek wrote: > On 07/27/2012 03:28 PM, John Dennis wrote: >> On 07/27/2012 02:06 AM, Dan Scott wrote: >>> Hi, >>> >>> I'm not sure if this is relevant, but Firefox preserves session >>> cookies across browser restarts. This was discussed on the Security >>> Now! podcast recently: >>> >>> http://www.grc.com/sn/sn-360.htm >>> >>> Search for 'sessionstore' and read a little before and after. >>> >>> Are session cookies relevant for kerberos authentication? >> >> It's only tangentially relevant. IPA does use session cookies. IPA >> logout >> destroys the session on the server making the session cookie stored >> in the >> browser invalid. >> >> However, SSO (Single Sign-On) continues to work as it's supposed to. >> As long >> as you have valid credentials in your kerberos cache you'll be >> automatically >> logged in (albeit with a brand new session and session cookie). All >> this is by >> design. >> >> You can logout of IPA which destroys your session, but unless you >> also destroy >> your credentials the automatic SSO process will be applied the next >> time you >> visit the web UI. >> >> > Would it be possible to add "login as another user" functionality? I > mean "destroy session && ignore any Kerberos tickets && start > form-based auth"? > > IMHO it could be handy, at least for demonstration purposes. > Please log a ticket. > Petr^2 Spacek > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
On 07/27/2012 03:28 PM, John Dennis wrote: On 07/27/2012 02:06 AM, Dan Scott wrote: Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for 'sessionstore' and read a little before and after. Are session cookies relevant for kerberos authentication? It's only tangentially relevant. IPA does use session cookies. IPA logout destroys the session on the server making the session cookie stored in the browser invalid. However, SSO (Single Sign-On) continues to work as it's supposed to. As long as you have valid credentials in your kerberos cache you'll be automatically logged in (albeit with a brand new session and session cookie). All this is by design. You can logout of IPA which destroys your session, but unless you also destroy your credentials the automatic SSO process will be applied the next time you visit the web UI. Would it be possible to add "login as another user" functionality? I mean "destroy session && ignore any Kerberos tickets && start form-based auth"? IMHO it could be handy, at least for demonstration purposes. Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
On 07/27/2012 02:06 AM, Dan Scott wrote: Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for 'sessionstore' and read a little before and after. Are session cookies relevant for kerberos authentication? It's only tangentially relevant. IPA does use session cookies. IPA logout destroys the session on the server making the session cookie stored in the browser invalid. However, SSO (Single Sign-On) continues to work as it's supposed to. As long as you have valid credentials in your kerberos cache you'll be automatically logged in (albeit with a brand new session and session cookie). All this is by design. You can logout of IPA which destroys your session, but unless you also destroy your credentials the automatic SSO process will be applied the next time you visit the web UI. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
What you're seing is Kerberos single sign on in action. You might log out of the web interface, but the next time you open firefox a new automatic sign on by kerberos is happening. If you kdestroy your kerberos credentials you can no longer access any kerberized services, until you request new kerberos credentials. You can check this by accessing the ipa web interface, run "klist", see that there is a HTTP/your-ipa-server.fqdn. Run "kinit", then run "klist" and all your tickets are gone. Access the IPA web interface again, run klist and you'll see a HTTP/your-ipa-server.fqdn. Kerberos single sign on in action. :) Rgds, Siggi On Fri, July 27, 2012 06:39, Steven Jones wrote: > So if i just click on logout, I should just logout as if i kdestroy'd? > > > If so, when I do that why doesnt that "cleanup" occur? > > > regards > > Steven Jones > > > Technical Specialist - Linux RHCE > > > Victoria University, Wellington, NZ > > > 0064 4 463 6272 > > > > From: Simo Sorce [s...@redhat.com] > Sent: Friday, 27 July 2012 4:01 p.m. > To: Steven Jones > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] unable to logout of IPA > > > On Fri, 2012-07-27 at 03:14 +, Steven Jones wrote: > >> When in IPA, when I click on the "logout" I expect to logout so I can login >> as another user, >> >> >> === >> Logged In As: steven jones | Logout >> === >> >> >> Clicking on logout, and clearing history in Firefox and even closing all >> instances of Firefox >> and restarting see me looged back in as my adm account... >> >> So what do I need to do to flush? reboot my workstation? >> > > logout or manually run kdestroy > > Simo. > > > -- > Simo Sorce * Red Hat, Inc * New York > > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for 'sessionstore' and read a little before and after. Are session cookies relevant for kerberos authentication? Maybe you could try a different browser to see if logging out works. Thanks, Dan On Thu, Jul 26, 2012 at 9:39 PM, Steven Jones wrote: > So if i just click on logout, I should just logout as if i kdestroy'd? > > If so, when I do that why doesnt that "cleanup" occur? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: Simo Sorce [s...@redhat.com] > Sent: Friday, 27 July 2012 4:01 p.m. > To: Steven Jones > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] unable to logout of IPA > > On Fri, 2012-07-27 at 03:14 +, Steven Jones wrote: >> When in IPA, when I click on the "logout" I expect to logout so I can login >> as another user, >> >> === >> Logged In As: steven jones | Logout >> === >> >> Clicking on logout, and clearing history in Firefox and even closing all >> instances of Firefox and restarting see me looged back in as my adm >> account... >> >> So what do I need to do to flush? reboot my workstation? > > logout or manually run kdestroy > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
So if i just click on logout, I should just logout as if i kdestroy'd? If so, when I do that why doesnt that "cleanup" occur? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Simo Sorce [s...@redhat.com] Sent: Friday, 27 July 2012 4:01 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] unable to logout of IPA On Fri, 2012-07-27 at 03:14 +, Steven Jones wrote: > When in IPA, when I click on the "logout" I expect to logout so I can login > as another user, > > === > Logged In As: steven jones | Logout > === > > Clicking on logout, and clearing history in Firefox and even closing all > instances of Firefox and restarting see me looged back in as my adm account... > > So what do I need to do to flush? reboot my workstation? logout or manually run kdestroy Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
On Fri, 2012-07-27 at 03:14 +, Steven Jones wrote: > When in IPA, when I click on the "logout" I expect to logout so I can login > as another user, > > === > Logged In As: steven jones | Logout > === > > Clicking on logout, and clearing history in Firefox and even closing all > instances of Firefox and restarting see me looged back in as my adm account... > > So what do I need to do to flush? reboot my workstation? logout or manually run kdestroy Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] unable to logout of IPA
When in IPA, when I click on the "logout" I expect to logout so I can login as another user, === Logged In As: steven jones | Logout === Clicking on logout, and clearing history in Firefox and even closing all instances of Firefox and restarting see me looged back in as my adm account... So what do I need to do to flush? reboot my workstation? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users