CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cosign and kerberos

On 30 Sep 2005, at 09:22, Goldrick, Jim wrote:
Ok, after researching some more, I have come to the conclusion that cross-realm authentication in itself won't do the trick.

Why does cross-realm authN not help you?

1. Add COSIGNKRB5REALMS to config.h
2. modify login.c to get the COSINGKRB5REALMS, my thinking is a comma-delimited list. Also modify it that if there is a list, process in cosign_login_krb by setting the default realm n number of times.

The CGI would need to know which realm the user had selected. There's no form element currently for that field. You could have the user type user@REALM, but the CGI currently interprets anything with an @ symbol as a Friend account. If you wanted a drop down list, you'd need to add that to the list of fields the CGI pays attention to.

cosign_login_krb5() always selects the default realm. If you accept a realm from the form, you'll need to pass it to cosign_login_krb5 (). You don't necessarily need to modify config.h for realm support. You can build kerberos so that only realms configured in / etc/krb5.conf work.

A question is can I just process the if block in cosign_login_krb5 multiple times without having to do anything else?

if (( kerror = krb5_get_init_creds_password( kcontext, &kcreds,
kprinc, passwd, NULL, NULL, 0, NULL /*keytab */, &kopts ))) {

kprinc is created by parsing the ID from the form. You'll either need create a different kprinc for each time you call this routine. Other than that, the answer is "probably". :)

3. If this works possibly check the COSIGNKRB5REALMS for inclusion in krb5_get_host_realm?

Not sure what you mean.

CosignTicketPrefix [ the path to the Kerberos ticket store ]

This is the directory where the CGI & daemon store the user's kerberos tickets.

    CosignGetKerberosTickets    [ on | off ]
        module asks for tgt from cosignd

This causes the filter to request a user's kerberos ticket.

    CosignKerberos524        [ on | off ]
        whether you want K5 tgt converted to K4 tgt

This seems pretty self-explanatory to me. You're probably not running Kerberos 4, so it doesn't really matter. Do you have a specific question?

    CosignKerberosSetupGSS        [ on | off ]
        setup the enviornment so that other apache modules
        that need GSSAPI/Kerberos work. e.g. IMP running under mod_php

Specific question?

    CosignGetProxyCookies    [ on | off ]
        module asks for proxy cookies from cosignd

These are like Kerberos proxy tickets, only they are good for cosign protected services. An application that proxies another cosign protected service might request these proxy cookies. We added this option for people interested in a portal that would proxy cosign protected applications.


Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010