...
Could you please indicate what versions of the following you think we need to support in such a system, in order to support NIST web servers?
- Operating systems (Linux, Solaris): Yes. Linux and Solaris
- Apache: 1.3.20+ (maybe only 1.3.26+)
- OpenSSL: 0.9.7 and 0.9.6k+ (0.9.6 can probably be dealt away with if it is a
big problem).
(The intent here is to get an idea of the range of Unix-based software versions we need to support, not to imply that Windows/IIS will not be supported; please feel free to pass along any version requirements for Windows/IIS as well).
...
Webauth offers the following advantages:
- Less complex design: Under Cosign, a daemon running on the login
server manages session state. Under Webauth, session data is stored
in session cookies, rather than on the central server.
- Superior quality in code base, documentation, etc.
- Better integration with other Apache authentication modules
- Additional Apache module providing LDAP integration (untested)
- Apparently better about minimizing exposure of ticket files,
SSL keys/certificates; does not require separate user account
on login server.
- Extensible protocol
Webauth requires the following development work for pilot release:
- Port to Apache 1.3?
- Add the ability to authenticate via X.509 certificates as well
as username/password and HTTP/SPNEGO. Add user options for
doing their preferred method by default.
- Ensure proper setting of REMOTE_USER variable (i.e. canonicalize
instead of stripping realm).
- Develop customized login, logout, confirmation, error and
documentation pages.
- Miscellaneous build system work.
Webauth will likely require the following longer-term development
work (minimally):
- IIS support
- Java servlet support
- Improve delegation
Cosign has the following advantages:
- Apache 1.3 support
- IIS support (untested)
- Java support (untested)
- Site-wide logout
- Site-wide idle timeout
- Some additional delegation functionality (e.g. application server
module can apparently request proxy cookies as well as Kerberos
tickets)
- Has some built-in support for X.509 certificates, but this seems
to require Michigan's KX.509 package.
- Fewer external software dependencies (Webauth requires the
cURL library on application servers, and mod_fastcgi and
several Perl modules on the login server).
Cosign would require the following development work for pilot release:
- Improve its support for other Apache authentication modules,
including making redirection work after falling back to
login via username/password; add user options for doing their
preferred method by default.
- Rationalize/canonicalize REMOTE_USER setup.
- Improve setup/handling/cleanup of daemon, ticket cache, SSL
directories.
- Develop customized login, logout, and other HTML pages.
- Improve build system.
Cosign will likely require the following longer-term development
work (minimally):
- Improve delegation
- Improve LDAP integration
Cosign's site-wide logout and timeout features are possible
because its central server maintains session state; Webauth's
architecture makes such features unfeasible to implement.
However, while these features might be useful, I do not feel
that they are critical; instructing users to exit the browser
(thus destroying all session cookies) to terminate the
authenticated session seesm sufficient. Also, the additional
delegation and certificate functionality does not seem terribly
useful for our purposes.
...