RE: cosign and kerberos

["Goldrick, Jim" <jgoldrick@xxxxxxxxxxxxxxxxx>]

Something else I was thinking about and forgot to ask (my son was bugging me to take him somewhere).

Anyway, is the REMOTE_REALM env variable set by cosign the kerberos realm?  If so, would it be extremely difficult to modify the filter to do some authz by putting in a 

CosignRealm REALM1.EDU

directive into the directory section of the apache conf files?  How about a separate module?

thanks much!

jim

-----Original Message-----
From: Wesley Craig [mailto:wes@xxxxxxxxx]
Sent: Friday, September 30, 2005 5:30 PM
To: Goldrick, Jim
Cc: cosign-discuss
Subject: Re: cosign and kerberos


On 30 Sep 2005, at 09:22, Goldrick, Jim wrote:
> Ok, after researching some more, I have come to the conclusion that  
> cross-realm authentication in itself won't do the trick.

Why does cross-realm authN not help you?

> 1.  Add COSIGNKRB5REALMS to config.h
> 2.  modify login.c to get the COSINGKRB5REALMS, my thinking is a  
> comma-delimited list.  Also modify it that if there is a list,  
> process in cosign_login_krb by setting the default realm n number  
> of times.

The CGI would need to know which realm the user had selected.   
There's no form element currently for that field.  You could have the  
user type user@REALM, but the CGI currently interprets anything with  
an @ symbol as a Friend account.  If you wanted a drop down list,  
you'd need to add that to the list of fields the CGI pays attention to.

cosign_login_krb5() always selects the default realm.  If you accept  
a realm from the form, you'll need to pass it to cosign_login_krb5 
().  You don't necessarily need to modify config.h for realm  
support.  You can build kerberos so that only realms configured in / 
etc/krb5.conf work.

> A question is can I just process the if block in cosign_login_krb5  
> multiple times without having to do anything else?
>
>  if (( kerror = krb5_get_init_creds_password( kcontext, &kcreds,
>             kprinc, passwd, NULL, NULL, 0, NULL /*keytab */,  
> &kopts ))) {

kprinc is created by parsing the ID from the form.  You'll either  
need create a different kprinc for each time you call this routine.   
Other than that, the answer is "probably". :)

> 3.  If this works possibly check the COSIGNKRB5REALMS for inclusion  
> in krb5_get_host_realm?

Not sure what you mean.

>     CosignTicketPrefix    [ the path to the Kerberos ticket store ]

This is the directory where the CGI & daemon store the user's  
kerberos tickets.

>     CosignGetKerberosTickets    [ on | off ]
>         module asks for tgt from cosignd

This causes the filter to request a user's kerberos ticket.

>     CosignKerberos524        [ on | off ]
>         whether you want K5 tgt converted to K4 tgt

This seems pretty self-explanatory to me.  You're probably not  
running Kerberos 4, so it doesn't really matter.  Do you have a  
specific question?

>     CosignKerberosSetupGSS        [ on | off ]
>         setup the enviornment so that other apache modules
>         that need GSSAPI/Kerberos work. e.g. IMP running under mod_php

Specific question?

>     CosignGetProxyCookies    [ on | off ]
>         module asks for proxy cookies from cosignd

These are like Kerberos proxy tickets, only they are good for cosign  
protected services.  An application that proxies another cosign  
protected service might request these proxy cookies.  We added this  
option for people interested in a portal that would proxy cosign  
protected applications.

:wes