#25 Single Sign-On
Hi,
I'm sucessfully run coLinux on Windows XP hosts, which
are members at a Windows 2003 server domain. I got it
fine working so that the Windows hosts do'nt have
internet acess and the coLinux service have it.
The only problem are the many authentications: The
Windows hosts must sign-on at the Windows domain,
the Windows users must sign-on at the coLinux service
and the coLinux users must sign-on at the Windows host
or domain to use shared folders or printers.
It would be very helpful, if the user only must be one
times sign-on at the Windows host or domain and then
the same user and password are used automatically to
sign-on at the coLinux service and to sign-on at the
Windows host or domain back from the coLinux service.
Regards
Rimini
Logged In: YES
user_id=30412
This is most likely not going to be implemented any time in
the near future. Keep in mind that coLinux is not
production software. It's barely Beta software and has a
long ways to go. Even given that, there just aren't enough
resources to implement such an feature, besides the security
ramification of such a feature, and the sheer complexity of
single-sign-on on multiple versions of Windows and Linux.
Logged In: NO
From: colinux@ew.nsci.us
We have done something similar in colinux using ssh dsa key
authentication, cygwin-ssh and cygwin-xwin32. This assumes
user jcase (Justin Case) in windows and linux. Create jcase
in colinux as a user and add jcase's cygwin id_dsa.pub to
colinux's ~/.ssh/authorized_keys2 . Then:
ssh colinux '((export DISPLAY=windows-ip:0;some-x-proggie)&)&'
The '(p&)&' forces it to grandchild so ssh will quit -- at
least most of the time. We have found that by granting
colinux access to cygwin-xwin32 with xhost, you can run x
proggies off the colinux image. We can sandbox Internet
programs like firefox/email and virtually eliminate
spyware/virus issues. It is laggy though. We found that
direct x connect (hence, xhost) instead of ssh x forwarding
reduces overhead, however, it is still latent. Might work
better w/ hyperthread or smp. Still, it is kinda cool to
run firefox in linux on xwin32!
We take this one step further with two net interfaces and a
little iptables magic. This turns linux into a firewall and
the additional latency for native win32 tcpip apps is
negligable. The best part is, windows doesn't have it's
physical network card bound to tcp/ip (box unchecked in net
properties). By bridging it into colinux w/ pcap, colinux
is then the only tcp/ip stack which has direct access to the
Internet, thus protecting windows. Windows then connects
via tap (colinux second interface) to colinux and routes
out. Kudos to the coLinux network guys for supporting more
than one network interface!
Anyway -- not sure if this is the direction you are going.
Perhaps it will give some insight.
--
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062
http://www.nsci.us/
Voice: (503) 293-7656
Fax: (503) 885-0770
Logged In: YES
user_id=707404
This really isn't a coLinux issue. I suggest that you look into
using Kerberos for single-sign on. Is you are using Debian
Linux, there is a ssh-krb5 package that supports using
Kerberos ticket forwarding via gssapi. You can get a version
of putty with support for gssapi ticket forwarding from:
http://www.sweb.cz/v_t_m/ and there are various web sites
that describe how to compile samab with Kerberos support
and setup Linux machines to use Active Directory domain
controllers as KDCs.
<<CDC
Christopher D. Clausen