On Thu, 2007-04-26 at 22:54 -0600, Devlin Daley wrote: > I'm just curious as to why you need to verify someone's Route Y > credentials.
To prove someone is who he or she says he or she is. The real question is, given that we don't totally trust the user, does the user trust us? A philosophical dilemma. Of course BYU students seem to pass their netid and password around like candy anyway, so maybe the question is moot. > > I dislike immensely providing that password to units other than the > actual Route Y. That situation easily lends itself to non authorized > impersonation. Is it absolutely necessary? Yes it is. I have to smile at your comment, as you've obviously not spent much time using BYU's various web resources. Kronos, Extensity, OIT's problem reporting system, blackboard. Everything requires a separate login using your netid and password. There is, essentially, no single sign-on on campus yet, despite site-minder. How do you know that you are interacting with the official Route Y site anyway? The new web design puts a username and password field on *every* site, for *every* department, no matter where the page is hosted. There is now no longer any official Route Y unit that accepts your password. Topher recently discussed his spoofing research. The current BYU site is extremely vulnerable to spoofing/phishing. > > An easier method if you absolutely must: just attach directly to > BYU's LDAP. If you can login to the LDAP with their username/ > password, it's legit. Just disconnect when your done. If you'll reread my posts, you'll find the main reason for implementing this http hack is exactly because LDAP is not reliable on campus. LDAP is a secondary system for BYU, synced from other sources. I've worked with OIT on this issue and they basically say that there are sometimes password synchronization issues which they can solve on a per-user basis. This is not practical for us, though. I'm basically going to use this http login as a fall-back for LDAP. Any ldap bind that fails but http login succeeds will be noted and the netids passed on to OIT for analysis. > > The University should really provide a mechanism so that the Route Y > credentials can be used around campus, without having everyone give > their password away. I think I've got a way around it -- hopefully > I'll get it implemented this summer. BYU's upcoming CAS will address this. Only one web site will ever take your password. It will grant you a ticket-granting cookie which your browser will pass to the various web sites that require authentication. This creates a very kerberos-like authentication system which works very well. We use CAS internally in our department for all our web authentication needs. In fact we're also looking at pam_cas, to allow our web-based e-mail client to use the CAS credentials, rather than require a username and password (which it currently needs for imap purposes). By the way, anyone who is using LDAP binds as a method of authentication is abusing LDAP and needs to be hauled out and shot (don't look too closely at my use of ldap... :). LDAP is *not* an authentication method. LDAP can be used to provide information for *authorization*, but authentication comes from another source. Kerberos is likely the best place for it. Now if we had a full Kerberos architecture at BYU like MIT does, then everything from unix shell access to file sharing to web resources would all be done using kerberos credentials. Unfortunately that requires add-on software for almost all operating systems and even Firefox doesn't natively support kerberos. > > -- Devlin Feel free to not top-post. Michael -------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
