On Mar 4, 2014, at 7:26 AM, Matt Snell <msn...@brandeis.edu> wrote: > Hello, > > I'm implementing a second factor and would like to confirm that I'm not > missing something important. > > On my cosignhost, I have a second factor configured that simply checks a > group to determine if the user is a member (based on the login provided): > > factor /var/cosign/scripts/cosign-validgroup -2 login > > ...My concern centers around a potentially "misconfigured" client machine, > one with CosignProtected content that doesn't specify the second > CosignRequireFactor (or any CosignRequireFactor for that matter). Is it > possible for that client to bypass the second factor? In my limited testing, > the second factor always seems to be processed but I'd appreciate > confirmation.
Cosign factors are tied to the form input fields sent by the browser. Your "factor" configuration line above says the cosign-validgroup factor should be executed any time the user submits a form with the "login" input field in it, which is required with every authentication attempt, including reauth. andrew
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss