Red Hat Bugzilla – Bug 211102
RFE: pubcookie module request
Last modified: 2011-01-30 23:05:24 EST
Description of problem: Many organizations including mine have adopted pubcookie as a method of handling single sign-on for web applications. Details about pubcookie are available at http://www.pubcookie.org/ Pubcookie is licensed under Apache 2.0 or older versions under its own open source license and supports authentication systems like kerberos, LDAP, and NIS which are already supported in RHEL. This is a really wonderful apache module except for our having to build it on every web server. I would very much appreciate it if you would consider including it in a future release of RHEL if possible. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Assigning to distribution for consideration by PM. From the engineering perspective, the take is: modules like this are a poor attempt at implementing SSO, which we should not endorse or encourage: 1) the SSO session obtained at login is constrained within a particular web browser rather than OS-wide, 2) methods liks this force you to train users to enter credentials via web forms, an unacceptable risk from phishing for e.g. Kerberos credentials 3) they are not compatible with WebDAV clients, 4) to be useful a whole extra server must be set up and configured to be the "login server" The only available method for implementing SSO with HTTP which we should recommend is to use the "Negotiate" protocol using the mod_auth_kerb module, as already shipped.
Let me explain further the reason we find pubcookie so valuable. The reality we live in is that organizational units do ask users for credentials to login to their websites and they ask for organization-wide credentials. To what extent this request can be trusted by users is always unknown (although I'm sure you can understand that most blindly enter such credentials anyway). With pubcookie we solve two problems, although imperfectly. First, users only enter credentials once (per browser per timeframe of their choice) rather than repeatedly for each organizational website. The fewer times a user enters credentials the better. Second, they only send credentials to the organization's pubcookie servers, never to the individual webservers they are accessing. This is a far better situation where the trust resides in one place where accountability can be better managed. Users in our environment are subject to phishing both with and without pubcookie but training them to recognize they are talking to the pubcookie server when entering credentials seems to be less subject to phishing than what we had without pubcookie. Thanks for the consideration of this request. John
Please leave the bugzilla package assignment as-is. RFEs for new packages are handled through the "distribution" pseudo-package.
This enhancement request was evaluated by Red Hat Product Management for inclusion a Red Hat Enterprise Linux major release. Red Hat does not currently plan to provide this enhanced functionality in the next Red Hat Enterprise Linux major release. Red Hat values your feedback and will take this enhancement request into consideration for future major releases of Red Hat Enterprise Linux.
Product Management has reviewed and declined this request. You may appeal this decision by reopening this request.