Hey all, So we think we may have stumbled upon an issue with 2nd factor authentication. Either that, or our config (or understanding) is incorrect.
We currently use Cosign to authenticate a la Kerberos to our AD. However, we have accounts in AD that we do not want to be able to login, so we've created a 2nd factor authentication script to check a second database. Basically, you have to authenticate to AD -- AND be on that second list. Configuration is as follows in /etc/cosign.conf: factor /var/cosign/scripts/cosign-secondcheck -2 login At first glance, everything works as expected. If you login using a valid username/password, with that username also existing in the 2nd database checked via the factor script, you're all set. If you login using a valid username/password, but that username *DOES NOT* exist in the 2nd database checked via the factor script, the script does indeed return 1 with an error message; that error message is appropriately displayed on our login page, which acts as if you haven't logged in correctly. *HOWEVER* A cosign cookie for that user is still placed in /var/cosign/daemon/. As a result, our services protected by Cosign will still let that user in, if they revisit the Cosign protected page again directly, because it believes they have correctly authenticated. Is this a bug in Cosign? Or are we doing something wrong? For example, do we need to have all of our filters on each server utilizing Cosign specify that we require this 2nd factor as well as the first? Or is our understanding of 2nd factor authentication w/ regard to Cosign way off? Any help would be greatly appreciated. Thanks. -- Joshua West Senior Systems Engineer Brandeis University http://www.brandeis.edu ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
