From: Simon W. <sx...@in...> - 2008-05-23 15:24:24
|
I'm at the AFS & Kerberos Best Practices Workshop, and have been discussing cosign with quite a few people. It occurred to me that I've never actually written down the things that I would like to see in cosign. Having spent the last few days talking about them, I thought it would make sense to share them. Hopefully they'll be of interest to other people, too. Limited Delegation ------------------ At the moment, web applications which receive delegated Kerberos credentials receive the user's TGT. This allows them to connect to any service as that user. In most cases, an application only really needs to connect to a limited number of backend services - it's a significant security improvement if they are restricted to only obtaining tickets for those services. I'd like to add a new bit of the protocol for limited ticket transfer, that permits obtaining, and then sending, particular service tickets to a client. In an ideal world, this would use KRB_CRED, but that's probably unworkable, due to the requirement for a keytab on the application server. Better Public Access -------------------- At the moment, AllowPublicAccess only gives a username if the user has previously visited an authenticated area of that web application. It would be nice if cosign supported more opportunistic authentication, by redirecting an unauthenticated user to the cosign server. The cosign server would then authenticate the user, if they already have a cosign coookie, or return the user to the application with a 'anonymous' cookie if not. This means that we remove the need for local 'login' pages for sites which use AllowPublicAccess. Tickets as Factors ------------------ We have some authentication mechanisms that can authenticate the user, but not result in delegated credentials. It would be nice if applications could indicate a requirement for delegated credentials as a factor, and have the user be prompted to reauthenticate if they access an application which requires that factor. Bugs ---- There's a few other things it would be good to fix, too. Perhaps I should stick these in the bug tracker? *) If you have two sites, one which requires credentials, and one which doesn't, which both run on the same web server, credentials will only be fetched if the user visits the sites in that order. If they visit the second (no credentials) site first, then they won't ever get any credentials on that server. *) With multiple servers, we only attempt to fetch tickets from one server. If the first fetch fails, we should try all of the available cosign servers, before deciding that the user doesn't have tickets. Cheers, Simon. |