WebISO: the killer kerberos app?

Kevin Coffman kwc at citi.umich.edu
Tue Mar 9 09:19:45 EST 2004 

Russ Allbery <rra at stanford.edu> write:
> > kevin mcgowan <clunis at umich.edu> writes:

> > With kx.509, users have the power to never send their Kerberos password
> > over the network -- translating desktop single sign-on to the web.
> > Cosign uses no domain cookies, allows users to logout of all cosign
> > protected services, is capable of transferring Kerberos credentials
> > among authorized web servers over an encrypted channel (not in a domain
> > cookie or on the query string or in an implicit POST that requires
> > javascript), works through firewalls, works across domains, runs on
> > Apache 1.3, IIS, Java servlet containers, and has beta support for
> > Apache 2.0.  Naturally, all of this software is open source.  Comments,
> > suggestions, contributions, gladly accepted.

> For whatever it's worth, the reason why we didn't go with a solution based
> on client-side certificates is that it doesn't make it possible for
> application servers to obtain credentials on behalf of the user and that
> was one of our requirements.  (We were also a bit worried about client
> support -- cookie-based systems support lynx, for example.  But that may
> be a solved problem now except for very marginal browsers.)

Just to clarify, cosign does not depend on client-side certificates, but
allows their use via kx.509.  In the default case, the user sends their
password over SSL to the cosignd for verification.

Our answer to the proxy issue when certificates are used for authentication
is Kerberized Credentials Translation (KCT).  The web server captures the
SSL handshake between itself and the client, forwards that handshake and
other info to the KCT (a Kerberized service) running on a KDC machine which
can issue Kerberos service tickets for the web server to use on the user's
behalf.  (Thus, translating from a PKI world to Kerberos.)  The handshake is
verified by the KCT so that it can verify that the end user requested
service from the web server.  The KCT has a list which specifies which web
servers may request what kind of service tickets.

K.C.

More information about the Kerberos mailing list