Re: [Cosign-discuss] Second factor clarification
On Mar 4, 2014, at 7:26 AM, Matt Snell wrote: > Hello, > > I'm implementing a second factor and would like to confirm that I'm not > missing something important. > > On my cosignhost, I have a second factor configured that simply checks a > group to determine if the user is a member (based on the login provided): > > factor /var/cosign/scripts/cosign-validgroup -2 login > > ...My concern centers around a potentially "misconfigured" client machine, > one with CosignProtected content that doesn't specify the second > CosignRequireFactor (or any CosignRequireFactor for that matter). Is it > possible for that client to bypass the second factor? In my limited testing, > the second factor always seems to be processed but I'd appreciate > confirmation. Cosign factors are tied to the form input fields sent by the browser. Your "factor" configuration line above says the cosign-validgroup factor should be executed any time the user submits a form with the "login" input field in it, which is required with every authentication attempt, including reauth. andrew signature.asc Description: Message signed with OpenPGP using GPGMail -- Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
[Cosign-discuss] Second factor clarification
Hello, I'm implementing a second factor and would like to confirm that I'm not missing something important. On my cosignhost, I have a second factor configured that simply checks a group to determine if the user is a member (based on the login provided): factor /var/cosign/scripts/cosign-validgroup -2 login Based on my understanding of the docs, this second factor will always be checked because we'll always have "login" from the posted form. It shouldn't matter whether the user is re-directed to the cosignhost (by visiting CosignProtected content) or if the user visits the cosignhost directly and logs in. If that is true, is there any situation where this factor wouldn't be checked following a successful first factor? My concern centers around a potentially "misconfigured" client machine, one with CosignProtected content that doesn't specify the second CosignRequireFactor (or any CosignRequireFactor for that matter). Is it possible for that client to bypass the second factor? In my limited testing, the second factor always seems to be processed but I'd appreciate confirmation. Matt -- Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss