On Tue, 2014-06-17 at 23:14 +0000, Nordgren, Bryce L -FS wrote: > When thinking about gateways and what Ipsilon may do, I came across this > thesis: > > https://davidben.net/thesis.pdf > > and source > > https://github.com/davidben/webathena > > His approach to unifying web and non-web technologies was to build > gateways for non-web services such that browser based clients could be > written without changing the server side. > > I'm not sold on that approach. However, the source repository includes > a browser-based javascript implementation of the Kerberos protocol and > a python gateway to a KDC. Users can kinit from the browser the way > Kerberos intended (password does not go over the wire). > > Is it possible to do a pure-javascript, all browser based kinit/spnego > so that users don't have to pop out to the command line to kinit? One > still would not have the ability to ssh into a console after doing an > in-browser kinit, but all the websites in the target domain should > recognize the credentials. > > Worthwhile or dumb?
Where does the javascript come from ? How do you trust it is not going to send your password somewhere ? How do you trust another bug in the browser will not allow another "tab" top read the memory of the browser including your password or TGT ? There is a good reason crypto and keys on one side and javascript on the other should not come in contact, IMO. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users