[Cosign-discuss] Thoughts from Newark

[Simon W. <sx...@in...>]

I'm at the AFS & Kerberos Best Practices Workshop, and have been  
discussing cosign with quite a few people. It occurred to me that  
I've never actually written down the things that I would like to see  
in cosign. Having spent the last few days talking about them, I  
thought it would make sense to share them. Hopefully they'll be of  
interest to other people, too.

Limited Delegation
------------------

At the moment, web applications which receive delegated Kerberos  
credentials receive the user's TGT. This allows them to connect to  
any service as that user. In most cases, an application only really  
needs to connect to a limited number of backend services - it's a  
significant security improvement if they are restricted to only  
obtaining tickets for those services.

I'd like to add a new bit of the protocol for limited ticket  
transfer, that permits obtaining, and then sending, particular  
service tickets to a client. In an ideal world, this would use  
KRB_CRED, but that's probably unworkable, due to the requirement for  
a keytab on the application server.

Better Public Access
--------------------

At the moment, AllowPublicAccess only gives a username if the user  
has previously visited an authenticated area of that web application.  
It would be nice if cosign supported more opportunistic  
authentication, by redirecting an unauthenticated user to the cosign  
server. The cosign server would then authenticate the user, if they  
already have a cosign coookie, or return the user to the application  
with a 'anonymous' cookie if not. This means that we remove the need  
for local 'login' pages for sites which use AllowPublicAccess.

Tickets as Factors
------------------

We have some authentication mechanisms that can authenticate the  
user, but not result in delegated credentials. It would be nice if  
applications could indicate a requirement for delegated credentials  
as a factor, and have the user be prompted to reauthenticate if they  
access an application which requires that factor.


Bugs
----

There's a few other things it would be good to fix, too. Perhaps I  
should stick these in the bug tracker?

*) If you have two sites, one which requires credentials, and one  
which doesn't, which both run on the same web server, credentials  
will only be fetched if the user visits the sites in that order. If  
they visit the second (no credentials) site first, then they won't  
ever get any credentials on that server.

*) With multiple servers, we only attempt to fetch tickets from one  
server. If the first fetch fails, we should try all of the available  
cosign servers, before deciding that the user doesn't have tickets.

Cheers,

Simon.