Andrew Mortensen wrote: > > On Feb 25, 2009, at 3:56 PM, Joshua West wrote: > >> Hey all, >> >> So we think we may have stumbled upon an issue with 2nd factor >> authentication. Either that, or our config (or understanding) is >> incorrect. >> >> We currently use Cosign to authenticate a la Kerberos to our AD. >> However, we have accounts in AD that we do not want to be able to login, >> so we've created a 2nd factor authentication script to check a second >> database. Basically, you have to authenticate to AD -- AND be on that >> second list. >> >> Configuration is as follows in /etc/cosign.conf: >> >> factor /var/cosign/scripts/cosign-secondcheck -2 login >> >> At first glance, everything works as expected. >> >> If you login using a valid username/password, with that username also >> existing in the 2nd database checked via the factor script, you're >> all set. >> >> If you login using a valid username/password, but that username *DOES >> NOT* exist in the 2nd database checked via the factor script, the script >> does indeed return 1 with an error message; that error message is >> appropriately displayed on our login page, which acts as if you haven't >> logged in correctly. >> >> *HOWEVER* >> >> A cosign cookie for that user is still placed in /var/cosign/daemon/. >> As a result, our services protected by Cosign will still let that user >> in, if they revisit the Cosign protected page again directly, because it >> believes they have correctly authenticated. >> >> Is this a bug in Cosign? Or are we doing something wrong? For example, >> do we need to have all of our filters on each server utilizing Cosign >> specify that we require this 2nd factor as well as the first? Or is our >> understanding of 2nd factor authentication w/ regard to Cosign way off? > > Are you specifying CosignRequireFactor in the Apache (or IIS or Java) > configuration for the web service you're trying to protect? If not, > mod_cosign will let them in.
Nope, not using CosignRequireFactor Apache directive. Is this something available in 1.9.4* or is it a directive only for 2.0.x? -- Joshua West Senior Systems Engineer Brandeis University http://www.brandeis.edu ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
