Simon's Musings

January 29, 2008

Integrating cosign with web sites

Filed under: Uncategorized — sxw @ 12:48 pm
Tags: , , ,

I’ve made a couple of changes over the last few days with a view to making it easier to integrate cosign authentication with web applications, and web sites in general. These are trivially available to sites which are built with the LCFG apacheconf and cosign components, and will be available in the next stable release.

Standard Logout Mechanism

Firstly, a standard logout CGI script is generated by the cosign component, as /var/www/cosign-logout/logout.cgi. Sites built with apacheconf can include the cosign-logout configuration fragment in their host defintion to map this to the /logout URI on their site.

Cosign requires a site-local logout mechanism due to the way in which it uses cookies to record user authentication. When a user is authenticated to cosign and accessing your site they have two cookies, one for your site, and one for the central cosign server. If your logout button only redirects to the central cosign logout page, then that site cookie will continue to exist – so users will be able to still access your site for a brief period of time after they have logged out. Needless to say, this tends to confuse people.

The local logout CGI will remove the local cookie, and then redirect them to the central login service. It should be linked (or redirected to) after your web application has performed whatever internal tidyup it requires on logout (for example, it may have its own cookies to remove).


For some services, it is desirable to check a user’s entitlements before allowing them access. Until the new account management technology is available, it is only possible to give local users entitlements, so the mechanism below cannot be used on services which allow access by iFriends.

Entitlements are accessible as LDAP groups, so can be checked using LDAP authorization. To enable this for your web server, you need to include dice/options/apacheconf-ldapauthz.h in the server’s profile. Then you should include the ldap-authz configuration fragment in the configuration of each site you wish to protect. The implementation details of this is different between the DICE Apache 1.3 build, and the Fedora Apache 2.2 system, which unfortunately changes the final configuration steps.

Apache 1.3

Individual sections of the site may then be protected by doing

<Location /my/secret/data>

CosignProtected On

AuthType Cosign

Require group my/entitlement/name


(my/entitlement/name is the entitlement that you want to restrict access to)

Apache 2.2

<Location /my/secret/data>

CosignProtected On

AuthType Cosign

Require ldap-group cn=my/entitlement/name,ou=Capabilities,dc=inf,dc=ed,dc=ac,dc=uk


(again, my/entitlement/name is the name of the entitlement you wish to restrict accces to. Note that you must specify the full DN of the entitlement, rather than just the name)

January 28, 2008

OpenAFS upgrades

Filed under: work — sxw @ 12:05 pm
Tags: , ,

This week, I’m going to be upgrading our OpenAFS database servers to 1.4.6, with my patch to disable the checks for principal names with dots in them (this patch will ship with OpenAFS 1.4.7). At the moment, iFriend users can’t register with the AFS pts database, because the email address naming scheme requires that their name contain dots. This means that there’s no way of using iFriend as an AFS authentication scheme, which was one of the original goals. 

Once all of the AFS database servers are suitably upgraded, it’ll be possible to register iFriend users, either through a CGI script, or with an extension to mod_waklog. Allowing them access to specific directories will require the fileserver hosting that volume to have also been upgraded, and correctly configured. 

OpenSSH cascading credentials

Filed under: work — sxw @ 11:44 am
Tags: , , ,

I shipped the OpenSSH package with cascading credentials support that we’ve been testing for the last year or so site wide today. It’ll appear in develop releases from tonight, and in the next stable release.

The cascading credential support isn’t enabled with this, however. Enabling cascading credentials requires a configuration file change which LCFG can’t sync with the package update – so the configuration will get changed in a subsequent release cycle (next weeks, if all goes according to plan).

More details on cascading credentials is available from the second part of my SSH talk at last year’s AFS & Kerberos Best Practices Workshop. I need to make a public release of this patch, too. 

Theme: Rubric.