[Freeipa-users] Ipsilon and WebAthena

[Nordgren, Bryce L -FS]

> -----Original Message-----
> From: Simo Sorce [mailto:simo at redhat.com]
> Sent: Wednesday, June 18, 2014 1:35 PM
> > Clearly there are potential problems. The question is, are they bigger
> > problems than sending your password across the net?
>
> No, but why should you ?
> It is quite simple to just call gssapi_acquire_cred_with_password(), it would
> require only a simple change in the browser to show you a prompt like it is
> done with Basic Auth, and then you are future proof and use the system cred
> store.

Wholeheartedly agree. However, when I previously suggested having the browser interact with the system cred store, there was fierce resistance. I believe the objections expressed on this list at the time was the need to change the client side. JS eliminates that need, which is the reason I brought it up.

> >  (and if we assume they use the same password in more than one place:
> > reduce the system manager's exposure to having someone else's
> > compromised system plague my machines?)
>
> I think that if these are your concerns it would be more effective to use OTPs
> where possible.

I don't know enough about OTPs to understand how they apply to external users, federation, and allowing "institutional" users to connect from outside the firewall. Not even the name sounds very user friendly.

Bryce





This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.