[Freeipa-users] Ipsilon and WebAthena
Simo Sorce
simo at redhat.com
Wed Jun 18 01:24:04 UTC 2014
On Tue, 2014-06-17 at 23:14 +0000, Nordgren, Bryce L -FS wrote:
> When thinking about gateways and what Ipsilon may do, I came across this thesis:
>
> https://davidben.net/thesis.pdf
>
> and source
>
> https://github.com/davidben/webathena
>
> His approach to unifying web and non-web technologies was to build
> gateways for non-web services such that browser based clients could be
> written without changing the server side.
>
> I'm not sold on that approach. However, the source repository includes
> a browser-based javascript implementation of the Kerberos protocol and
> a python gateway to a KDC. Users can kinit from the browser the way
> Kerberos intended (password does not go over the wire).
>
> Is it possible to do a pure-javascript, all browser based kinit/spnego
> so that users don't have to pop out to the command line to kinit? One
> still would not have the ability to ssh into a console after doing an
> in-browser kinit, but all the websites in the target domain should
> recognize the credentials.
>
> Worthwhile or dumb?
Where does the javascript come from ?
How do you trust it is not going to send your password somewhere ?
How do you trust another bug in the browser will not allow another "tab"
top read the memory of the browser including your password or TGT ?
There is a good reason crypto and keys on one side and javascript on the
other should not come in contact, IMO.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list