[pubcookie-dev] flavor_trust
Bradley Schwoerer
schwoerb at doit.wisc.edu
Fri Jun 23 09:16:40 PDT 2006
- Previous message: [pubcookie-dev] Single Sign Out
- Next message: [pubcookie-dev] CVS update: willey;
webiso/pubcookie/src index.cgi.c,1.176,1.177
index.cgi.h,1.61,1.62 libpubcookie.c,2.90,2.91
libpubcookie.h,1.61,1.62 mod_pubcookie.c,1.203,1.204
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Recently as you may have noticed, Jon Miner and I have been spending a good
amount of time enhancing Pubcookie for our installation. Well one of the
other major areas that we have been working on is a new flavor for
pubcookie, trust.
It all started when we came up with a neat idea of handling authentication
backend outages, for us it is LDAP. As everyone knows, when you consolidate
you put more eggs into fewer baskets. For us we just had a good example of
why we need to be able to do WebISO with very little infrastructure up. We
have a lot of our system engineering and help desk tools now pubcookie
protected, but we need a way to use them in cases that LDAP is down. So we
came up with the idea of using Certs based authentication, something we were
going to most likely do anyways. It is also something we are already
deploying to users for signing and encryption. To be able to use them with
no other backend infrastructure up, we are stuffing our NetID into the cert
UID field of the DN. The CN of the cert is our actual name. We would have
preferred using a subjectAltName field, similar to where Microsoft puts
their UserPrincipalName, but our vendor (GeoTrust) for the certs currently
doesn't support subjectAltNames. So, we were off and running.
The University of Virginia was kind enough to share their code for doing
certificate based authentication using pubcookie. It looked good, but had a
number of mods just for them in it. So I decided to use their code as a
reference, and started refactoring it. What I have come up with is
flavor_trust. It does as it sounds like, and get the username from the
environment. This works and can even play nice with flavor_basic, with very
few modifications to index.cgi.c. Mods that don't mess up the other
flavors. My plan is now to move most of the cert verification code from
UVA's flavor_cert into a verify_cert. At this point, I have mod_ssl doing
the verification, and am using the alwaystrue verifier, which works. The
reason to move away from mod_ssl for verification and into pubcookie is most
likely the same reason UVA faced. You can not give the users usable error
messages about what is going wrong, like expired certs. So a little extra
code in Pubcookie will save many help desk calls.
Some of the issues I ran into thus far are:
-At this point the login cookie contains the flavor that requested
authentication, not the flavor that did the authentication.
-Apache 2.0 can't do ssl renegotiation with a POST, supposedly 1.3 and 2.2
can. So three options, either use a GET like UVA, run cert authentication
on another port like 8443, or try apache 2.2. I am inclined for another
secure port, I am testing apache 2.2, but currently using GET.
-Without severe modification to flavor_basic, I am just using some
javascript to change a few form parameters to allow posting to the cert auth
location.
-Bradley Schwoerer
- Previous message: [pubcookie-dev] Single Sign Out
- Next message: [pubcookie-dev] CVS update: willey;
webiso/pubcookie/src index.cgi.c,1.176,1.177
index.cgi.h,1.61,1.62 libpubcookie.c,2.90,2.91
libpubcookie.h,1.61,1.62 mod_pubcookie.c,1.203,1.204
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the pubcookie-dev
mailing list