Versions Compared

Old Version 6

changes.mady.by.user Paul B Hill

Saved on

compared with

New Version 7

changes.mady.by.user Paul B Hill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Could you please indicate what versions of the following you think we need to support in such a system, in order to support NIST web servers?

  • Operating systems (Linux, Solaris): Yes. Linux and Solaris
  • Apache: 1.3.20+ (maybe only 1.3.26+)
  • OpenSSL: 0.9.7 and 0.9.6k+ (0.9.6 can probably be dealt away with if it is a
    big problem).

(The intent here is to get an idea of the range of Unix-based software versions we need to support, not to imply that Windows/IIS will not be supported; please feel free to pass along any version requirements for Windows/IIS as well).

...

Webauth offers the following advantages:

  • Less complex design: Under Cosign, a daemon running on the login
    server manages session state. Under Webauth, session data is stored
    in session cookies, rather than on the central server.
  • Superior quality in code base, documentation, etc.
  • Better integration with other Apache authentication modules
  • Additional Apache module providing LDAP integration (untested)
  • Apparently better about minimizing exposure of ticket files,
    SSL keys/certificates; does not require separate user account
    on login server.
  • Extensible protocol

Webauth requires the following development work for pilot release:

  • Port to Apache 1.3?
  • Add the ability to authenticate via X.509 certificates as well
    as username/password and HTTP/SPNEGO. Add user options for
    doing their preferred method by default.
  • Ensure proper setting of REMOTE_USER variable (i.e. canonicalize
    instead of stripping realm).
  • Develop customized login, logout, confirmation, error and
    documentation pages.
  • Miscellaneous build system work.

Webauth will likely require the following longer-term development
work (minimally):

  • IIS support
  • Java servlet support
  • Improve delegation

Cosign has the following advantages:

  • Apache 1.3 support
  • IIS support (untested)
  • Java support (untested)
  • Site-wide logout
  • Site-wide idle timeout
  • Some additional delegation functionality (e.g. application server
    module can apparently request proxy cookies as well as Kerberos
    tickets)
  • Has some built-in support for X.509 certificates, but this seems
    to require Michigan's KX.509 package.
  • Fewer external software dependencies (Webauth requires the
    cURL library on application servers, and mod_fastcgi and
    several Perl modules on the login server).

Cosign would require the following development work for pilot release:

  • Improve its support for other Apache authentication modules,
    including making redirection work after falling back to
    login via username/password; add user options for doing their
    preferred method by default.
  • Rationalize/canonicalize REMOTE_USER setup.
  • Improve setup/handling/cleanup of daemon, ticket cache, SSL
    directories.
  • Develop customized login, logout, and other HTML pages.
  • Improve build system.

Cosign will likely require the following longer-term development
work (minimally):

  • Improve delegation
  • Improve LDAP integration

Cosign's site-wide logout and timeout features are possible
because its central server maintains session state; Webauth's
architecture makes such features unfeasible to implement.
However, while these features might be useful, I do not feel
that they are critical; instructing users to exit the browser
(thus destroying all session cookies) to terminate the
authenticated session seesm sufficient. Also, the additional
delegation and certificate functionality does not seem terribly
useful for our purposes.

...