#25 Single Sign-On



I'm sucessfully run coLinux on Windows XP hosts, which
are members at a Windows 2003 server domain. I got it
fine working so that the Windows hosts do'nt have
internet acess and the coLinux service have it.

The only problem are the many authentications: The
Windows hosts must sign-on at the Windows domain,
the Windows users must sign-on at the coLinux service
and the coLinux users must sign-on at the Windows host
or domain to use shared folders or printers.

It would be very helpful, if the user only must be one
times sign-on at the Windows host or domain and then
the same user and password are used automatically to
sign-on at the coLinux service and to sign-on at the
Windows host or domain back from the coLinux service.




  • Logged In: YES

    This is most likely not going to be implemented any time in
    the near future. Keep in mind that coLinux is not
    production software. It's barely Beta software and has a
    long ways to go. Even given that, there just aren't enough
    resources to implement such an feature, besides the security
    ramification of such a feature, and the sheer complexity of
    single-sign-on on multiple versions of Windows and Linux.

    • status: open --> closed
  • Logged In: NO

    From: colinux@ew.nsci.us

    We have done something similar in colinux using ssh dsa key
    authentication, cygwin-ssh and cygwin-xwin32. This assumes
    user jcase (Justin Case) in windows and linux. Create jcase
    in colinux as a user and add jcase's cygwin id_dsa.pub to
    colinux's ~/.ssh/authorized_keys2 . Then:

    ssh colinux '((export DISPLAY=windows-ip:0;some-x-proggie)&)&'

    The '(p&)&' forces it to grandchild so ssh will quit -- at
    least most of the time. We have found that by granting
    colinux access to cygwin-xwin32 with xhost, you can run x
    proggies off the colinux image. We can sandbox Internet
    programs like firefox/email and virtually eliminate
    spyware/virus issues. It is laggy though. We found that
    direct x connect (hence, xhost) instead of ssh x forwarding
    reduces overhead, however, it is still latent. Might work
    better w/ hyperthread or smp. Still, it is kinda cool to
    run firefox in linux on xwin32!

    We take this one step further with two net interfaces and a
    little iptables magic. This turns linux into a firewall and
    the additional latency for native win32 tcpip apps is
    negligable. The best part is, windows doesn't have it's
    physical network card bound to tcp/ip (box unchecked in net
    properties). By bridging it into colinux w/ pcap, colinux
    is then the only tcp/ip stack which has direct access to the
    Internet, thus protecting windows. Windows then connects
    via tap (colinux second interface) to colinux and routes
    out. Kudos to the coLinux network guys for supporting more
    than one network interface!

    Anyway -- not sure if this is the direction you are going.
    Perhaps it will give some insight.

    Eric Wheeler
    Vice President
    National Security Concepts, Inc.
    PO Box 3567
    Tualatin, OR 97062

    Voice: (503) 293-7656
    Fax: (503) 885-0770

  • Logged In: YES

    This really isn't a coLinux issue. I suggest that you look into
    using Kerberos for single-sign on. Is you are using Debian
    Linux, there is a ssh-krb5 package that supports using
    Kerberos ticket forwarding via gssapi. You can get a version
    of putty with support for gssapi ticket forwarding from:
    http://www.sweb.cz/v_t_m/ and there are various web sites
    that describe how to compile samab with Kerberos support
    and setup Linux machines to use Active Directory domain
    controllers as KDCs.

    Christopher D. Clausen