On Nov 27, 2012, at 7:49 PM, Chris Hecker wrote:
>> Some care would be needed here. The user will be redirected to the
>> central weblogin server for the ticket renewal.
>
> Ah, yeah, I don't think POSTs can live across redirects. This would
> have to happen before the redirect on the initial
> Requiring a user to reauthenticate after a given period of time (the
> hard timeout) is one of the design requirements for cosign. What you
> are proposing would provide a way around this.
But this isn't true, renewable tickets aren't renewable forever. It is
just a more secure way of allowi
On November 27, 2012 16:17 , Chris Hecker wrote:
> I think the only changes to cosign would be:
> - on first login, make the hard limit for this session min(-H, tgt lifetime)
> - get renewable tickets if an option is set
> - before kicking the user to the login screen on timeout, try to renew
> th
> With that in mind, reconsider what Wes was saying about
> authorization. You're thinking of setting -allow_tix on a principal
> so they can't log into cosign. That'll work, and it'll work now
> without modifying cosign. What Wes was saying is that you want some
> form of authorization check
On Nov 27, 2012, at 3:00 PM, Chris Hecker wrote:
>
>> It's the difference between an authentication method and using a TGT
>> to obtain service tickets.
>
> However, it sounds like this means what Mark was saying is that once
> cosign has authenticated the first time (whether with krb5 or ldap
> It's the difference between an authentication method and using a TGT
> to obtain service tickets.
Ah, okay, yeah, I don't have cosign do anything with tickets itself, I
just use krb5 for authentication (which gets a TGT to do so, as I
understand it).
However, it sounds like this means what Ma
> That's definitively not how kerberos works. In fact, the password is
> not sent to the KDC to obtain credentials.
Yeah, sorry, I meant the krb5 API that cosign talks to, I know how
kerberos works at the protocol level and that credentials aren't passed
over the wire, etc. I just meant it gets
On Nov 27, 2012, at 2:08 PM, Chris Hecker wrote:
>
>> Except: the tickets obtained by cosign (*) are not being used to
>> authenticate the user to cosign.
>
> This part confuses me. I'm not using SPNEGO, this is all on the cosign
> side, but if I've got cosign set up to use krb5 as the authe
On 27 Nov 2012, at 14:08, Chris Hecker wrote:
> In
> other words, it takes the user's credentials, passes them to the KDC,
> and if a TGT comes back, the user is authenticated, right? How else
> could it work?
That's definitively not how kerberos works. In fact, the password is not sent
to the
On 27 Nov 2012, at 14:08, Chris Hecker wrote:
> In
> other words, it takes the user's credentials, passes them to the KDC,
> and if a TGT comes back, the user is authenticated, right? How else
> could it work?
That's definitively not how kerberos works. In fact, the password is not sent
to the
> Except: the tickets obtained by cosign (*) are not being used to
> authenticate the user to cosign.
This part confuses me. I'm not using SPNEGO, this is all on the cosign
side, but if I've got cosign set up to use krb5 as the authentication
backend, how is it not using tickets to authenticate
On November 27, 2012 12:57 , Chris Hecker wrote:
>> If you get Kerberos tickets, then make sure that the default TGT and
>> service ticket lifetimes are 1 week, too
> But that violates the entire point of short lived tickets, and is why
> there are renewable tickets in krb5 in the first place.
Ex
> If you get Kerberos tickets, then make sure that the default TGT and
> service ticket lifetimes are 1 week, too
But that violates the entire point of short lived tickets, and is why
there are renewable tickets in krb5 in the first place.
In other words, I just want to avoid the problem where t
On November 21, 2012 15:08 , Chris Hecker wrote:
> I have a forum that uses cosign and kerberos, and every day people need
> to log back in (I have 24 hour ticket lifetimes), but worse, if they are
> in the middle of doing something and the ticket expires, they get kicked
> to the login page as we
14 matches
Mail list logo