cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
multiple cosign configuration and runtime issues
I've had some time in the past few days to work on getting cosign 1.7.0
installed and working (as both a weblogin server and a client) on a
Fedora Core 2 host running a Fedora stock apache2 (2.0.51-2.7). OpenSSL
and MIT krb5 are both theoretically recent enough (openssl-0.9.7a-35 and
krb5-*-1.3.4-6). I know the apache2 stuff isn't used at UofM, but it
looks like a few others on this list are using it, so I thought I'd give
it a try.
And at this point I'm able to log in with my krb5 password at the
main page on the weblogin server, I'm redirected to /services and am
successfully granted the appropriate cookie. The cosign daemon get's a
TGT for me in /ticket... So far so good. I've got two cookies ("cosign"
and "cosign-services", the latter being correctly determined from the
value of CosignService for the /services location).
On to the issues....
When I try to logout something funny happens, apache give me an
"internal error page" and I in my apache errorlog I see:
/usr/local/cosign/certs/weblogin.reed.edu.key: No such file or directory
My CosignCrypto looks like this:
CosignCrypto /var/cosign/certs/key.pem /var/cosign/certs/cert.pem /var/cosign/certs/CA
Shouldn't mod_cosign be looking for /var/cosign/certs/key.pem?
Quite possibly I'm misunderstanding the meaning of CosignCrypto!
So I tried playing along and started making some symlinks so that
/var/cosign/certs/key.pem was linked to
/usr/local/cosign/certs/weblogin.reed.edu.key (ditto with the cert).
This get's me a little further, but then I hit the next issue.
My cert isn't verifying. Stracing httpd I find that it thinks
the CAdir is /usr/share/ssl/cert.pem! (i.e. it's looking for
/usr/share/ssl/cert.pem/ddc328ff.0 and naturally not finding it). I
don't find the string "/usr/share/ssl/cert.pem" anywhere in cosign, but
I do see it in in OpenSSL's "libcrypto.so", presumably it's a hard coded
default that's not getting overridden by any other setting.
Playing along again I make /usr/share/ssl/cert.pem a link to
/var/cosign/certs/CA/ (a directory that contains my cacerts and the hash
links to each of them). This gets me just a little further. But logout
still fails with
apache's errorlog reporting:
net_logout: 511 LOGOUT: Invalid cookie name.
and cosignd reporting to syslog:
cosignd: f_logout: cookie name contains '/'
And indeed the cookie name *does* include a / (two of them actually).
Here's the debug (slightly edited) output from cosignd:
So I'm not sure if there are many problems here or just a single one.
Do any of these issues look familiar to anyone?
Any suggestions would be gratefully appreciated!