[Freeipa-users] Ipsilon and WebAthena
Dmitri Pal
dpal at redhat.com
Wed Jun 18 17:32:58 UTC 2014
On 06/17/2014 09:24 PM, Simo Sorce wrote:
> On Tue, 2014-06-17 at 23:14 +0000, Nordgren, Bryce L -FS wrote:
>> When thinking about gateways and what Ipsilon may do, I came across this thesis:
>>
>> https://davidben.net/thesis.pdf
>>
>> and source
>>
>> https://github.com/davidben/webathena
>>
>> His approach to unifying web and non-web technologies was to build
>> gateways for non-web services such that browser based clients could be
>> written without changing the server side.
>>
>> I'm not sold on that approach. However, the source repository includes
>> a browser-based javascript implementation of the Kerberos protocol and
>> a python gateway to a KDC. Users can kinit from the browser the way
>> Kerberos intended (password does not go over the wire).
>>
>> Is it possible to do a pure-javascript, all browser based kinit/spnego
>> so that users don't have to pop out to the command line to kinit? One
>> still would not have the ability to ssh into a console after doing an
>> in-browser kinit, but all the websites in the target domain should
>> recognize the credentials.
>>
>> Worthwhile or dumb?
> Where does the javascript come from ?
> How do you trust it is not going to send your password somewhere ?
> How do you trust another bug in the browser will not allow another "tab"
> top read the memory of the browser including your password or TGT ?
>
> There is a good reason crypto and keys on one side and javascript on the
> other should not come in contact, IMO.
>
> Simo.
>
I have seen this project presented at the MIT Kerberos Consortium board
of directors and it gave me goose bumps.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list