Idle Timeout

Matej Zagiba matej.zagiba at
Wed Jan 5 08:45:06 EST 2011

On 01/04/2011 06:54 PM, Russ Allbery wrote:
> Brian Candler<B.Candler at>  writes:
>> Kerberos is a single sign-on system. You get your TGT at the start of
>> the day, and then it logs you in automatically and transparently to each
>> service you visit.
>> If you want the site to prompt for username/password, either initially
>> or after an idle timeout, then I think it will need to do its own HTTP
>> Basic authentication.
> Or you can use a web authentication system based on or capable of using
> Kerberos, like:
> which offer various additional features, such as this sort of idle
> timeout.  Kerberos by itself is not going to provide this.
> --
> Russ Allbery (rra at<>
> ________________________________________________
> Kerberos mailing list           Kerberos at

We are using CoSign and it has pretty feature called re-auth.
Service can request, that re-auth is needed, and user is redirected to central re-auth page.
If kerberos authetication (SPNEGO) is used (or certificates, or passwords are stored in browser...)
this can be automated and user may not be aware of this. So multifactor authentication comes to rescue.
Some sort of OTP would be good idea, but that's kind of anti-SSO. If only one site needs this functionality,
put it out of SSO realm, if multiple sites will use this, add OTP as second authentication factor.
Every site can be configured which factor is mandatory/sufficient. On timeout site invalidates session and
user is taken to re-auth page. OTP factor can be designed so it will not ask for password more often then
once per 15 minutes, making it more SSO-like (user is not ask to rre-auth on every expired site, just on
first one).

  Matej Zagiba

More information about the Kerberos mailing list