[Cosign-discuss] cosign pam module?

[Liam Hoekenga]

Hey folks -

I know this might seem like a silly idea, but I don't suppose that
someone's written a PAM module that authenticates using cosign?

We're using Cosign to be the authentication provider for our shib
installation.  One of the shibboleth endpoints (ECP) is for providing
shibboleth based authentication to non-browser based applications.
That endpoint needs to present itself as Basic Auth.   Our cosign
installation primarily authenticates against kerberos, and our LDAP
servers do simple binds against kerberos, so I /could/ protect the ECP
endpoint using mod_auth_kerb or mod_authnz_ldap.. but I was trying to
figure out if I could do something that would authenticate against
cosign itself - so it was backend agnostic (so it would also support
Friend logins).

I don't want to permit the friend database more broadly that it is
currently, nor do I wish to expose the connection information for the
friend database beyond our cosign servers.  So, it seems like the best
tactic would be to authenticate directly against cosign (and PAM came
to mind.. probably for use w/ mod_auth_external..)

suggestions?

Liam

--
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711iu=/4140/ostg.clktrk
___
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss

Re: [Cosign-discuss] cosign pam module?

[Andrew Mortensen]

On Aug 1, 2013, at 12:07 PM, Liam Hoekenga li...@umich.edu wrote:

 Hey folks -
 
 I know this might seem like a silly idea, but I don't suppose that
 someone's written a PAM module that authenticates using cosign?

It's actually not that far-fetched, given that we've already written the 
Michigan SSO iPhone app, which wraps cosign authentication in a similar way. It 
could probably be done fairly quickly with libcurl as the vehicle for authN 
over https. 

andrew


 
 We're using Cosign to be the authentication provider for our shib
 installation.  One of the shibboleth endpoints (ECP) is for providing
 shibboleth based authentication to non-browser based applications.
 That endpoint needs to present itself as Basic Auth.   Our cosign
 installation primarily authenticates against kerberos, and our LDAP
 servers do simple binds against kerberos, so I /could/ protect the ECP
 endpoint using mod_auth_kerb or mod_authnz_ldap.. but I was trying to
 figure out if I could do something that would authenticate against
 cosign itself - so it was backend agnostic (so it would also support
 Friend logins).
 
 I don't want to permit the friend database more broadly that it is
 currently, nor do I wish to expose the connection information for the
 friend database beyond our cosign servers.  So, it seems like the best
 tactic would be to authenticate directly against cosign (and PAM came
 to mind.. probably for use w/ mod_auth_external..)
 
 suggestions?
 
 Liam
 
 --
 Get your SQL database under version control now!
 Version control is standard for application code, but databases havent 
 caught up. So what steps can you take to put your SQL databases under 
 version control? Why should you start doing it? Read more to find out.
 http://pubads.g.doubleclick.net/gampad/clk?id=49501711iu=/4140/ostg.clktrk
 ___
 Cosign-discuss mailing list
 Cosign-discuss@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/cosign-discuss



signature.asc
Description: Message signed with OpenPGP using GPGMail
--
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711iu=/4140/ostg.clktrk___
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss