ache HTTPD, including a U-M specific configuration example, are
available here:
http://webapps.itcs.umich.edu/cosign/index.php/Cosign_Wiki:CosignInstallation#Building_and_Installing_the_Filter
Please let us know (or use one of the other email addresses above) if
you have any questions.
n problem but rather an Apache HTTPD problem. In any event, I
recommend trying this just so that you know for sure that you're looking
in the right place for the problem.
Mark Montague
ITCS Web/Database Production Team
The University of Michig
sign).
If you do not see the "220 2 Collaborative Web Single Sign-On" banner,
then check your networking and firewall configuration.
Mark Montague
ITCS Web/Database Production Team
The University of Michigan
[EMAIL PROTECTED]
---
with information about the University of Michigan weblogin
servers. ]
Mark Montague
ITCS Web/Database Production Team
The University of Michigan
[EMAIL PROTECTED]
-
Ch
O or X.509, but, if it did not, you could always add support for
them and submit patches back to the Subversion project.
I hope this helps. And, hopefully, other people will also chime in with
their ideas and suggestions.
Mark Montague
ITCS Web/Database Produ
ges of the
production weblogin servers at the University of Michigan. Please use
[EMAIL PROTECTED], [EMAIL PROTECTED], or another U-M mail address for U-M
specific questions in the future.
Mark Montague
ITCS Web/Database Production Team
The University of
r especially if it is
possible to tell whether a page should require authentication or not
just by it's URL), then you're fine. But otherwise, you might want to
use a different WebSSO product other than cosign and/or a different
portal system.
Mark Montague
lters are good at dealing with cosignd hosts that are down,
so the main reason we move the IP address to another machine is so that
some percentage of users don't get a "Server not responding" error in
their web browsers when they are redirected to authenticate.
ars of build environment, some changes to the mod_cosign
configure scripts, Makefiles, and possibly source code may be needed in
order to get things working.
Please feel free to add anything you find out to the cosign wiki at
http://weblogin.org/
Mark Montague
I
386): Mach-O bundle i386
mod_cosign.so (for architecture x86_64):Mach-O 64-bit bundle x86_64
$
Finally, note that cosignd, monsterd, and the CGI are only needed if you
are setting up your own central weblogin servers. If you are at an
institution that already has central weblogin servers
or weblogin server components -- does anyone
care about this?
Mark Montague
ITCS Web/Database Team
The University of Michigan
markm...@umich.edu
On Wed, Dec 24, 2008 4:02 PM, Wesley Craig wrote:
> Let's address Mark'
when (re)authentication occurs.
Is this using Apache HTTPD? If so, is mod_rewrite involved? Special
care is sometimes needed to preserve the query string with mod_rewrite.
Also, check your environment to see if it is being set there. If so,
then it's a problem with PHP.
M
ove
files that are more than 24 hours old.
Mark Montague
ITCS Web/Database Team
The University of Michigan
markm...@umich.edu
--
Open Source Business Conference (OSBC),
P (e.g., mod_authnz_ldap for Apache
HTTPD), a global database (MySQL or Oracle), one or more
web-application-specific databases, Unix groups (via PAM or NIS+), or so on.
Mark Montague
ITCS Web/Database Team
The University of Michigan
ie name requires
reauthentication.
The user will then be asked to reauthenticate the first time they visit
that special web application, plus every 20 minutes thereafter, but
other web applications will not be affected.
Mark Montague
ITCS Web/Database Team
as to whether this works with mod_cosign. If anyone
is able to try it, please let me know.
Mark Montague
ITCS Web/Database Team
The University of Michigan
markm...@umich.edu
---
berosSetupGss On
>
>
> Still results in no tickets and incorrect values for the directives in
> *cfg
Thanks for trying it, though. Sorry about the red herring.
Mark Montague
ITCS Web/Database Team
The Un
L certs
have passed verification as sslclient and sslserver certificates. Any
help is greatly appreciated.
What is not working? What are the symptoms of the problem you are having?
Mark Montague
ITCS Web/Database Team
The Univer
files for evidence of what is causing the looping that
you are seeing.
Mark Montague
ITCS Web/Database Team
The University of Michigan
markm...@umich.edu
--
On Tue, Jun 16, 2009 9:27 PM, "Wen-Chen Hol" wrote:
> What is the usual directory of "Cosign Cookie folder" for a redhat
> Enterprise 5, apache 2.2.3, unisign 2.?
>
/var/cosign/filter
Mark Montague
ITCS Web/Database Team
may require adherence to certain standards or policies. It's also
possible to have service-specific service entries (which some people
refer to as "exceptions" to the general policy, if one exists) that
apply only to a specific cosign-protected web server and permit it to
use a
ertificate) and configuring HTTPS.
Mark Montague
ITS Web/Database Team
The University of Michigan
markm...@umich.edu
On Tue, Aug 18, 2009 4:53 PM, "Will Kerr" wrote:
> On version 1.0 I was able to host multiple sites us
up your
own CA and then configure cosign to trust that CA. (The root
certificate for the CA may be self-signed, though; that's OK).
Mark Montague
ITS Web/Database Team
The University of Michigan
markm...@u
o make
it work. Out of the box, cosignd will log using the "daemon" facility.
This does not appear to exist on MacOS 10.5; have you modified the code?
syslog messages that are logged without a facility under MacOS X appear
in /var/log/system.log
Mark Montague
od_cosign-2.0" is not a valid service line for cosign.conf. See the
cosign.conf man page.
Mark Montague
ITS Web/Database Team
The University of Michigan
markm...@umich.edu
---
neither cosignd nor
cosign.conf get installed unless you run "make install-all" instead of
"make install". Information on Kerberos is also included in
README.weblogin. Let us know if you have questions.
Mark Montague
ITS Web/Database Team
config at all right
now, although I think it would be awesome if it did. See lines 41 - 86
of cosign-3.1.1/aclocal.m4
Mark Montague (not a cosign developer, I just run it)
ITS Web/Database Team
The University of Michigan
markm...@
...however, this is just a random suggestion. I recommend that you go
through the problems that other people have been having with other
packages and see if you can find how they solved it.
Also... have you successfully compiled something else using these
Kerberos libraries?
Best lu
tware packages and then trying the same thing with cosign.
Mark Montague
ITS Web/Database Team
The University of Michigan
markm...@umich.edu
On February 25, 2010 16:01 , "Simon Chang"
wrote:
> Well...
>
> Two
logs for both your cosign-protected web server and
your central weblogin server, as there may be clues in there.
I hope this helps.
Mark Montague
ITS Web/Database Team
The University of Michigan
markm...@umich.edu
On Februar
P.S.: you are not subscribed to the mailing list, so anything you post
will be held pending moderator approval. Also, you will not see any
replies that are posted to the mailing list (I've manually added in your
email address on this reply so you would see it).
Mark Mon
On March 25, 2010 10:57 , Mark Montague wrote:
Possible solutions include:
- Modify SWFUpload to send cookies.
- Modify the 3rd party application to use a different upload system,
one that supports cookies.
- Disable cosign for the URL in question in order to permit anonymous
or non
ince the Flash application won't be passing cookies to
the web server, the web application won't know who uploaded what.
Effectively, all uploads would be anonymous.
Mark Montague
ITS Enterprise Email& Collaboration Technologies Team
th cosign itself,
it's functionality that needs to be provided by your LDAP software.
The situation is similar if you configure cosign to use Kerberos, or a
SQL database, or hardware tokens.
I hope this helps.
Mark Montague
ITS Enterprise E
s repository:
http://forums.opensuse.org/archives/sf-archives/archives-software/331878-where-apxs-libapreq2-suse-10-2-a.html
--
Mark Montague
m...@catseye.org
--
Lotusphere 2011
Register now for Lotusphere 2011 and lear
Cookies you have in your local cookie
database (by default, /var/cosign/filter) will be preserved.
If you set special permissions, however, you'll want to be sure that
none of the special permissions were reverted during the "sudo make
install&
licitly permit it (but there are good reasons why
they should not permit it).
--
Mark Montague
m...@catseye.org
--
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and s
ckIP never", the
multipath NAT problem is not a new issue. It was affecting clients
behind the UMHS firewalls at the University of Michigan two years ago.
I hope this helps.
--
Mark Montague
m...@catseye.org
--
f our Cosign-covered web
> services? Is that what wolverineaccess.umich.edu and other central services
> do as their baseline Cosign configuration?
Yes, unfortunately.
--
Mark Montague
m...@catseye.org
--
EditLive
he URLs from
when the user first visits the cosign-protected web site through the
point at which the looping occurs. This will hopefully provide
information as to what is causing the looping.
--
Mark Montague
m...@catseye.org
he validation URL for that service (note that I have not tried this, so
I don't know if it would actually work).
This is all a little kludgy, but maybe someone else can suggest a better
way.
--
Mark Montague
m...@catseye.org
e hands of the person administering the
cosign-protected service: the factor can be required (or not) on a
per-service or even per-page basis; but hopefully most institutions
would not need this sort of granular control, and so I think your
solution is definitely the bette
erl script you're writing
authenticate using X.509 client certificates. Not via cosign's support
for X.509, just via mod_ssl with a "Satisfy any" directive.
--
Mark Montague
LSA Research Systems Group
University of Michigan
markm...@umich.edu
--
you might be able to get
this to work with a recent version of Apache HTTP Server 2.2 (that is,
not the version that ships with RHEL5 / CentOS 5!) and without any
changes to mod_cosign.
--
Mark Montague
m...@catseye.org
quot;, "require ldap-group
cn=umweb friends,ou=User Groups,ou=Groups,dc=umich,dc=edu"). So if
you're maintaining an authorization list anyway, it should be just as
easy to use that with cosign as with Basic Auth, and it would result in
a simpler configuration ov
porarily turn LogLevel up to "debug". No guarantees, but
hopefully mod_authnz_ldap will then be verbose about what it is doing.
At the very least httpd itself should report on the return values that
both mod_cosign and mod_authnz_ldap are generating for each request
processing h
EDU
[root@aeacus ~]#
versus two-factor:
[root@aeacus ~]# cat
"/var/cosign/filter/cosign-aeacus.lsa.umich.edu=47GljWdqqR4TIFV7iRUB5v4wx9pzUprTzwBYwH-DHc71OKN2LLQRgEw7tSlwaCNtdFp0nFB3qcnDdDPAZxoJEHDWUk8PRfrPjufJ7BbbaIRD3z5FzsnxI4bOeZ3S"
v3
i141.213.169.109
pmarkmont
rUMICH.EDU
fUMICH
On November 3, 2011 13:19 , Liam Hoekenga wrote:
> If I allow CosignAllowPublicAccess at the root, it looks like I'll
> need to specifically negate it ("CosignAllowPublicAccess off") in any
> subdirectories where I actually /need/ cosign. Is that correct?
Yes.
at it's
already thread-safe or close to it, but I'd be surprised). I'd love to
see this supported, but I imagine that this isn't a high priority for
most people.
(and the latest release is 3.1.2, by the way)
--
third curl command is or
is not doing; the -v or --head options may be useful for this if the -w
you already have is not showing you what's happening.
Again, I recommend using a different type of authentication for scripts,
such as client-side SSL certificates, if this is possible in you
proceed
normally, without needing any modification or customization. Take this
with a grain of salt, however, since I've never set this up for Nagios,
personally.
--
Mark Montague
m...@catseye.org
--
All the data cont
ected web site
2. User clicks logout link on cosign protected web site, which deletes
the service cookie from the user's web browser and redirects the user to
the central logout page.
3. User logs out
4. User tries to access the cosign protected web site again, but does
not have a cosign
rdless of
browser? Regardless of device/computer?
Is the user coming up against the idle timeout?
--
Mark Montague
m...@catseye.org
--
Keep Your Developer Skills Current with LearnDevNow!
The most compreh
Web Inspector might also be able to do
it. And there should be a way to achieve a similar result in Microsoft
Internet Explorer, too.
I hope this helps.
--
Mark Montague
m...@catseye.org
--
Virtualization &a
ou want to do. For example, allow cosign to determine the user's
identity, but then use the authorization parts of mod_authnz_ldap to
compare the user's identity (as determined by cosign) to say whether the
user is a member of a certain LDAP group, or is in a certain LDAP OU,
and thus whethe
lowing the instructions for the FAQ "My
certificate is verified, but I'm still getting vague and unhelpful SSL
errors. What else can I do?" at
http://webapps.itcs.umich.edu/cosign/index.php/Cosign_Wiki:CosignFAQ#Configuration
I hope this helps.
--
Mark Montague
m...@
n authority that is trusted by your institution's central
weblogin servers. Do your institution's central weblogin servers
explicitly trust GeoTrust?
--
Mark Montague
m...@catseye.org
--
For Developers,
u want to authenticate users via the
cosignd protocol? If you can share both the requirements and why you
have those particular requirements, we may be able to suggest a
different architecture that accomplishes the same business go
TE_USER to determine who is accessing it? If we
know the answers to these questions, we may be able to provide more
useful responses.
--
Mark Montague
m...@catseye.org
--
Live Security Virtual Conference
Exclusive
tpd_can_network_connect set to "on" (run "getsebool -a | grep
httpd" to see). Also if you're running SELinux, check
/var/log/audit/audit.log for denial messages.
--
Mark Montague
m...@catseye.org
-
03 errors and this patten holds exactly for all of them (failure to
read CHECK response on the first connection, followed by failure to read
STARTTLS responses on four other connections).
Any ideas or assistance would be appreciated, but if anyone else has
seen this issu
On August 8, 2012 14:39 , Phil Pishioneri wrote:
> On 8/8/12 1:50 PM, Mark Montague wrote:
>> Has anyone seen a problem with CosignModule for IIS where users
>> sometimes, but not always, receive a 503 "Service unavailable" message
>> when they first try to acc
te service [commercially signed and
widely trusted], and UM Web CA [locally signed]).
I hope this helps. If addressing these two things (creating a hash for
the root CA certificate for the certificate used by your central
weblogin servers, plus using a non-self-signed certificate in the
Cos
ichigan/OU=ITCS/CN=UM Web CA/emailAddress=webmas...@umich.edu
[...remainder of output omitted...]
--
Mark Montague
m...@catseye.org
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today&#x
script from the OpenSSL source code
distribution, run:
cd /etc/httpd/cosign-ca-dir ; c_rehash .
Also, you should be able to see the same output for:
[root@minos certs]# openssl x509 -hash -noout -in ./umwebCA.pem
5cc1e784
[root@minos certs]#
Short form: fixing
t
Speed
100 1334 100 13340 0 19974 0 --:--:-- --:--:-- --:--:--
21868
$ openssl x509 -hash -noout -in ./umwebCA.pem
5cc1e784
$
Once you get this, recreate the hash symlink by running c_rehash again.
If you don't get a link named 5cc1e784.0, then so
hash symlink
and you should probably use the same version of OpenSSL from the command
line that you're using to compile mod_cosign.
--
Mark Montague
m...@catseye.org
--
Live Security Virtual Conference
Exclus
rs). If you get Kerberos tickets,
then make sure that the default TGT and service ticket lifetimes are 1
week, too -- in addition to making sure that your KDC and krb5.conf are
configured to allow this, you'll need to set the cosignticketlifetime
directive in cosign.conf appropriately,
ew the ticket
on their workstation, but reauthentication on the central weblogin
server would usually happen invisibly, without the user being aware of
it, and you would not be having the situation you describe -- which is
the basis of my assumption that you are not using SPNEGO in your
envi
s every request or 60 seconds after the last check,
whichever is longer), the user will be immediately kicked off.
This has the advantage that the user does not continue to have access to
cosign-protected web services until their current ticket expires; they
are completely
worked fine.
If you encounter problems, it might be due to merging of configuration
sections. In this case, use mod_info to help troubleshoot the issue,
and/or make sure you specify a complete set of access control directives
in each affected conte
terms of the configuration and access
directive merging?
--
Mark Montague
m...@catseye.org
--
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your
in the exact same way as the cosign filter
redirects users. As you can see, this is a case where the second factor
is enabled only for specific users instead of services, but we leave the
decision up to the service, and initiate the action from the service.
Even though this is not what you want,
If "count" gets too high, the cgi
assumes that the user's web browser is stuck in an endless redirect
loop, and it stops trying to authenticate the user and displays an error
message to the user instead.
--
Mark Montague
m...@catseye.org
d-line "openssl" utililty from that same
version, or, if you use a newer version, you can use the
-subject_hash_old and -issuer_hash_old options to the "openssl x.509"
command to get the correct hashes.
--
be used to determine the user's locale unless the user is
using a proxy or VPN -- is given by the REMOTE_ADDR server variable, if
you are using Apache HTTP Server. (If this is not what you mean by
"user locale", please be more specific).
--
Mark Mo
give you a list of the CAs they have chosen to trust
for this purpose.
--
Mark Montague
m...@catseye.org
--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The plat
-type f -mtime +0 | /usr/bin/xargs /bin/rm -f
$
You'll need a similar script to clean up old Kerberos tickets from your
tickets directory.
--
Mark Montague
m...@catseye.org
--
AlienVault Unified Secu
a
debugger to get a stack trace and post that here.
I hope this helps.
--
Mark Montague
m...@catseye.org
--
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essen
each of your cosign-protected web servers (the machines
running the filter which are not central weblogin servers) you want to
delete old cookie files (/var/cosign/filter) and, if the
cosign-protected web server gets proxied Kerberos tickets from the
central weblogin servers then you want
to do this, I think it would be a huge
benefit even for sites that are doing what the University of Michigan is
currently doing (see Richard's message).
--
Mark Montague
m...@catseye.org
--
This SF.net emai
2/mod/mod_authnz_ldap.html#requiredirectives
https://httpd.apache.org/docs/2.2/howto/access.html
--
Mark Montague
m...@catseye.org
--
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ ho
t not with the email address you posted from). This causes your
posts to be held for approval of a human moderator, as a spam protection
measure. Also, if anyone just replies to the list instead of replying
to all, you won't see their responses.
I hope this helps.
N_FACTOR}e env=COSIGN_FACTOR
Most web applications would not care about the factors, only whether the
user was authenticated. You would then have your Java code look to see
if a request header named X-Remote-User was present and set to a
non-empty value; if it is, the URI
this, make sure you put any root
and intermediate certificates for the CA into the cosigncadir directory
and generate appropriate hash symlinks.
4. Restart cosignd and your central weblogin server web server service
so that both of them "see" the new certificate.
I hope this hel
cation timeout concerns for webapps that expect the form to be
submitted within a certain window.
5. There are undoubtedly other concerns too.
This might be a fun experimental project for someone with free time.
--
Mark Montague
m.
the meantime, individual institutions that use cosign could modify
their post_error.html to include a link to Lazarus and similar browser
plugins so that the user could install one and avoid the loss next time.
--
Mark Montague
m...@catseye.org
---
oft") timeout (2 hours)
and detecting the cosign hard timeout (10, 12, or 24 hours) when as soon
as it occurs. It's not nearly as good as your proposed workaround, but
I've noticed that people of that particular webapp rarely wind up losing
POST data.
--
the user. But note that after this although
the user would be authenticated to cosign, they'd still need to return
to the web application so that it could establish its own session for
the user, and you'd still need to configure the web application
appropriately for cosign.
Let me know if
to be redirected to after logout as
the query string of the logout URL, for example:
https://weblogin.umich.edu/logout?http://www.lsa.umich.edu/
--
Mark Montague
m...@catseye.org
--
Slashdot TV. Video for Nerds.
2.4. Hopefully
other people on the list can take the discussion from this point.
--
Mark Montague
m...@catseye.org
--
Slashdot TV. Videos for Nerds. Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?
_cosign-1”
cosign.conf is the configuration file for cosignd, not for Apache HTTP
Server mod_cosign.
--
Mark Montague
m...@catseye.org
--
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
Gige
lient web
server belonging to the institution rather than random machines.
--
Mark Montague
m...@catseye.org
--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and develope
s' back-channel
certificate; client web server back-channel certificates can be either
from the same CA or from a list of 3-4 specific trusted commercial CAs).
--
Mark Montague
m...@catseye.org
--
Dive i
he same in-house CA for all requests, and had the client web servers
only trust the in-house CA for the CAS login server requests that they
sent. To do this, CAS would have to allow server/ports in the URL for
user logins than for client web server req
ust modify cosign.cgi to check (during processing of the POST)
if the last characters of the username match @ plus the realm name, case
insensitively, and, if so, cut them? It could even be submitted
upstream and would be, by far, the easiest solution.
--
.2.3.4, or hostA.example.com before posting to the
mailing list.
If you are relying on security by obscurity (that is, if people can gain
unauthorized access just by knowing certain details about your
configuration), eliminate this problem before posting to the mailing list.
--
Mark Mo
Kerberos ticket or X.509 certificate is valid.
I am not aware of any institution that is using either SPNEGO or X.509
with cosign. Either one would require explicit configuration, possible
UI enhancements, and I don't think that documentation exists for either one.
--
Mark Montague
98 matches
Mail list logo
