his issue but I'm looking forward to hearing if
> patches on GitHub will be considered.
>
> The repository is fairly pointless if not.
>
> Qais
>
> On Mon, 20 Aug 2018 at 21:24 Chris Hecker <mailto:chec...@d6.com>> wrote:
>
>
> I'm trying to upd
I'm trying to update my server that runs CoSign from httpd 2.2.x to
2.4.x, and I've got things building (there are several pull requests on
https://github.com/cosignweblogin/cosign to fix the minor build errors),
but I think I've found a more serious code bug:
Due to https://nvd.nist.gov/vuln/det
I'm hoping the answer is 'no' for my current application, but is there a
way for a user with a valid krb5 account on the kdc and a keytab file (or
TGT) for that account to log into cosign without knowing the password used
to make the key? In other words, there's no way to skip the plaintext
passwor
Mark Montague wrote:
> On 2014-07-09, 15:11, Chris Hecker wrote:
>> I just got burned by this on my own site, losing a forum post that took
>> me a while to write. How hard would it be to fix this issue, it really
>> sucks to lose the user's (read: my) data.
>
> The
:23, Chris Hecker wrote:
>> I would think the current post could be stuffed into the post_error.html
>> page (or its replacement) when it's generated, then carried across to
>> the login page, and then reposted, so it wouldn't require javascript at
>> all. I have
just a terrible user experience, so it'd be nice to fix it.
Chris
On 2014-07-09 13:10, Mark Montague wrote:
> On 2014-07-09, 15:11, Chris Hecker wrote:
>> I just got burned by this on my own site, losing a forum post that took
>> me a while to write. How hard would it be to fi
I just got burned by this on my own site, losing a forum post that took
me a while to write. How hard would it be to fix this issue, it really
sucks to lose the user's (read: my) data.
Chris
--
Open source business p
Also, this page should be deleted:
http://webapps.itcs.umich.edu/cosign/index.php/Real_Estate_in_Bayside
Chris
--
Open source business process management suite built on Java and Eclipse
Turn processes into business appl
Selinux?
Chris
On Apr 28, 2014 3:47 PM, "Yadin Flammer" wrote:
> Hello all.
> So I have set up cosign tons of times, but suddently I have a new system
> that I can't get working for some reason. It seems to be working except
> that when the valid response comes back from the redirect server th
Ah, good point, thanks!
Chris
On 2013-05-30 12:48, Russ Allbery wrote:
> Chris Hecker writes:
>
>> Okay, is there any reason this is a bad idea?
>
>> [root] /var/cosign# cat /etc/cron.hourly/cosign
>> #!/bin/bash
>> dirs=( /var/cosign/filter /var/cosign/daemon
r my site.
Is there any reason not to do this, assuming permissions and selinux
contexts are set correctly?
I was mostly just worried about somebody doing it, running that cleanup
file, and losing other stuff not in daemon, tickets, and filter.
Chris
On 2013-05-30 07:40, Mark Montague wrot
Oh, and the one in scripts/cron has a bug, it uses +1 instead of +0 for
-mtime. It also deletes everything under /var/cosign, which might be a
bit aggressive.
Chris
On 2013-05-29 15:27, Chris Hecker wrote:
>
> Okay, is there any reason this is a bad idea?
>
> [root] /var/cosi
15 05:19, Mark Montague wrote:
> On May 15, 2013 2:38 , Chris Hecker wrote:
>> I'm running cosignd and monster, and everything is working fine and has
>> been for years, but I just noticed the filter directory is filling up
>> with files. It's got 33k files in it alr
Ah, I figured that's what the monster process did, but I guess that only does
stuff on the central login stuff in daemon? Thanks, I'll check out the readme.
Chris
Mark Montague wrote:
On May 15, 2013 2:38 , Chris Hecker wrote:
> I'm running cosignd and monster, and eve
I'm running cosignd and monster, and everything is working fine and has
been for years, but I just noticed the filter directory is filling up
with files. It's got 33k files in it already, from the past couple
years, so I'm assuming things are never getting deleted. The daemon
directory has a
Have you gotten openssl s_client working with it for starters? I always
do that first to make sure things are working.
Chris
On 2013-04-15 22:47, George Francis wrote:
> I was able to resolve my previous issue regarding the message 'No
> trusted certificate found' but obtaining a self-signed r
be able to use
the krb5 feature underneath for the usual case.
Anyway, I feel like we've got the major points out. If I end up taking
a look and if there's a clean way to do this that preserves the POST and
everything, I'll send in a patch.
Chris
On 2012/11/27 15:13, Mark Montag
or cosign. Unless I'm missing something?
Chris
On 2012/11/27 12:47, Andrew Mortensen wrote:
> On Nov 27, 2012, at 3:00 PM, Chris Hecker wrote:
>
>>
>>> It's the difference between an authentication method and using a TGT
>>> to obtain service tickets.
>
assumption that -allow_tix on a princ will fail
a renew, I haven't tested it yet, but that'd be crazy if it didn't and
patch-worthy, but that's a different mailing list. :)
Chris
On 2012/11/27 11:42, Andrew Mortensen wrote:
>
> On Nov 27, 2012, at 2:08 PM, Chris Hecke
need fancy authz stuff like acls, just the
ability to ban somebody by setting -allow_tix and have that be respected
by everybody who's using krb5 to authenticate my users.
Chris
On 2012/11/27 11:56, Wesley Craig wrote:
> On 27 Nov 2012, at 14:08, Chris Hecker wrote:
>> In
>>
n to support.
I'll obviously contribute changes back if I make them.
Chris
On 2012/11/27 10:41, Mark Montague wrote:
> On November 27, 2012 12:57 , Chris Hecker wrote:
>>> If you get Kerberos tickets, then make sure that the default TGT and
>>> service ticket life
extra security but provides a worse user experience.
Chris
On 2012/11/27 07:11, Mark Montague wrote:
> On November 21, 2012 15:08 , Chris Hecker wrote:
>> I have a forum that uses cosign and kerberos, and every day people need
>> to log back in (I have 24 hour ticket lifetimes), but wo
I have a forum that uses cosign and kerberos, and every day people need
to log back in (I have 24 hour ticket lifetimes), but worse, if they are
in the middle of doing something and the ticket expires, they get kicked
to the login page as well, which is not great user experience.
Most websites ha
On step 3 (the failed login with no url parameters), do you have the
hidden ref field in the form (that's the place to redirect to on success)?
Chris
On 2012/05/29 11:00, Roque Gagliano (rogaglia) wrote:
> Hi Andrew,
>
> On May 29, 2012, at 5:48 PM, Andrew Mortensen wrote:
>
>>
>> On May 29,
{
+ stats_level = LOG_DEBUG;
+}
+syslog( stats_level, "STATS MONSTER: %d/%d/%d login %d/%d service",
login_gone, login_sent, login_total, service_gone,
service_total );
} /* end forever loop */
}
Chris
On 2012/02/06 13:23, Andrew Mortensen wrote:
&
wrote:
>
> On Feb 4, 2012, at 4:12 AM, Chris Hecker wrote:
>
>>
>> Is that patch going to be in 3.2.0? I didn't see it in the release
>> notes you just posted...
>
> Yes, it's in there. Forgot to add it to the notes. Please test and let me
> know if it&#x
Is that patch going to be in 3.2.0? I didn't see it in the release
notes you just posted...
Chris
On 2012/02/03 08:16, Andrew Mortensen wrote:
>
> On Feb 2, 2012, at 8:03 PM, Chris Hecker wrote:
>
>>
>> I have a kerberos account with an instance separator, so l
I have a kerberos account with an instance separator, so like foo/bar.
It can log into krb5 find, but if I try to log into cosign with it, it
fails in the cgi like this:
cosign_login_krb5: login failed, referer: blah
I haven't traced it farther than that yet (the cgi talks to the daemon
with co
er returns post logout, the cache
> is still valid and the user is still "logged in" to that one site for a few
> seconds. To avoid this, simply call the local logout script which will
> re-direct the user to the main logout script.
>
> http://weblogin.org/faq.shtml
&g
I'm having weirdness with the centralized logout feature of cosign, and
before I try debugging the various pieces, I figured I'd ask if it was
actually normal.
If I'm logged into a cosign protected page, and then I click a link to
go to the logout page, then logout, I can hit the back button to g
d_authnz_ldap and not be able to. I'll
probably patch it to allow this, I guess, unless anybody has a better idea.
Thanks,
Chris
On 2011/11/01 08:23, Mark Montague wrote:
> On October 28, 2011 18:47 , Chris Hecker wrote:
>> I can't seem to make it work. Is there a w
I've got cosign working well with kerberos, but I wanted to add an ldap
attribute to specifically (dis)allow kerberos users to login to cosign
webpages (as opposed to just getting tickets for non-web apps, which I
also use krb5 for), but I can't seem to make it work. Is there a way to
get verbose
I asked a similar question a couple months ago for doing this from a service
with a keytab, and the best approach seemed to be to set up a parallel
mod_authn_krb5+cosign mapping to the resource, and then talk to that using
code, since the negotiate auth protocol looks pretty simple (since you won't
Is there a reason there's no change password built into CoSign, at least
when using the krb5 backend? I found this, where someone was going to
write it for expired passwords, but not sure if anything came of that:
http://cosign.sourceforge.net/cosign-discuss/msg00261.shtml
I also found kpassw
token so I don't have to deal with any of the gss junk in my krb5 native
app...the wrapper looks pretty simple.
Chris
On 2011/07/31 23:43, Simon Wilkinson wrote:
> On 1 Aug 2011, at 05:14, Chris Hecker wrote:
>
>>
>>> Oh, wait, negotiate is built into CoSign, sorry, I
rmal
cosign login.
You've got your js negotiate checker, but that's a browser thing, I want
to have it just be completely optional.
Make sense?
Chris
On 2011/07/31 20:55, Chris Hecker wrote:
>
> Oh, wait, negotiate is built into CoSign, sorry, I misread that part.
>
>
Oh, wait, negotiate is built into CoSign, sorry, I misread that part.
Hmm, I will have to play around with this.
Chris
On 2011/07/31 13:44, Chris Hecker wrote:
>
>> 5. Provide a Kerberos protected version of the cosign login CGI. This
>> allows applications to authenticate usin
ks to krb5, but I
want to talk to the cosign pages with negotiateauth from code.
Thanks,
Chris
On 2011/07/31 05:28, Simon Wilkinson wrote:
>
> On 31 Jul 2011, at 06:07, Chris Hecker wrote:
>> 3. Set up and use kx509 so the services can get short term x.509
>> certificates. T
I have CoSign and MIT Kerberos set up and working the way I want for
users, but I'd like krb5 services to be able to get at some CoSign
protected pages (like for fetching a protected RSS feed, etc.).
I've read a bit about this, and it seems like there are a few approaches:
1. Login to CoSign
39 matches
Mail list logo
