Red Hat Bugzilla – Bug 211102
RFE: pubcookie module request
Last modified: 2011-01-30 23:05:24 EST
Description of problem:
Many organizations including mine have adopted pubcookie as a method of handling
single sign-on for web applications. Details about pubcookie are available at
Pubcookie is licensed under Apache 2.0 or older versions under its own open
source license and supports authentication systems like kerberos, LDAP, and NIS
which are already supported in RHEL.
This is a really wonderful apache module except for our having to build it on
every web server. I would very much appreciate it if you would consider
including it in a future release of RHEL if possible.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Assigning to distribution for consideration by PM.
From the engineering perspective, the take is: modules like this are a poor
attempt at implementing SSO, which we should not endorse or encourage:
1) the SSO session obtained at login is constrained within a particular web
browser rather than OS-wide,
2) methods liks this force you to train users to enter credentials via web
forms, an unacceptable risk from phishing for e.g. Kerberos credentials
3) they are not compatible with WebDAV clients,
4) to be useful a whole extra server must be set up and configured to be the
The only available method for implementing SSO with HTTP which we should
recommend is to use the "Negotiate" protocol using the mod_auth_kerb module, as
Let me explain further the reason we find pubcookie so valuable.
The reality we live in is that organizational units do ask users for credentials
to login to their websites and they ask for organization-wide credentials. To
what extent this request can be trusted by users is always unknown (although I'm
sure you can understand that most blindly enter such credentials anyway).
With pubcookie we solve two problems, although imperfectly. First, users only
enter credentials once (per browser per timeframe of their choice) rather than
repeatedly for each organizational website. The fewer times a user enters
credentials the better. Second, they only send credentials to the organization's
pubcookie servers, never to the individual webservers they are accessing. This
is a far better situation where the trust resides in one place where
accountability can be better managed.
Users in our environment are subject to phishing both with and without pubcookie
but training them to recognize they are talking to the pubcookie server when
entering credentials seems to be less subject to phishing than what we had
Thanks for the consideration of this request.
Please leave the bugzilla package assignment as-is. RFEs for new packages are
handled through the "distribution" pseudo-package.
This enhancement request was evaluated by Red Hat Product Management for inclusion a Red Hat Enterprise Linux major release.
Red Hat does not currently plan to provide this enhanced functionality in the next Red Hat Enterprise Linux major release.
Red Hat values your feedback and will take this enhancement request into consideration for future major releases of Red Hat Enterprise Linux.
Product Management has reviewed and declined this request. You may appeal this
decision by reopening this request.