Bug 211102 - RFE: pubcookie module request
RFE: pubcookie module request
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: distribution (Show other bugs)
5.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: RHEL Product and Program Management
Daniel Riek
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-17 09:38 EDT by John T. Rose
Modified: 2011-01-30 23:05 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-30 23:05:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John T. Rose 2006-10-17 09:38:40 EDT
Description of problem:

Many organizations including mine have adopted pubcookie as a method of handling
single sign-on for web applications. Details about pubcookie are available at

  http://www.pubcookie.org/

Pubcookie is licensed under Apache 2.0 or older versions under its own open
source license and supports authentication systems like kerberos, LDAP, and NIS
which are already supported in RHEL.

This is a really wonderful apache module except for our having to build it on
every web server. I would very much appreciate it if you would consider
including it in a future release of RHEL if possible.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Joe Orton 2006-10-17 10:56:13 EDT
Assigning to distribution for consideration by PM.

From the engineering perspective, the take is: modules like this are a poor
attempt at implementing SSO, which we should not endorse or encourage:

1) the SSO session obtained at login is constrained within a particular web
browser rather than OS-wide,

2) methods liks this force you to train users to enter credentials via web
forms, an unacceptable risk from phishing for e.g. Kerberos credentials

3) they are not compatible with WebDAV clients,

4) to be useful a whole extra server must be set up and configured to be the
"login server"

The only available method for implementing SSO with HTTP which we should
recommend is to use the "Negotiate" protocol using the mod_auth_kerb module, as
already shipped.
Comment 2 John T. Rose 2006-10-17 11:24:17 EDT
Let me explain further the reason we find pubcookie so valuable.

The reality we live in is that organizational units do ask users for credentials
to login to their websites and they ask for organization-wide credentials. To
what extent this request can be trusted by users is always unknown (although I'm
sure you can understand that most blindly enter such credentials anyway).

With pubcookie we solve two problems, although imperfectly. First, users only
enter credentials once (per browser per timeframe of their choice) rather than
repeatedly for each organizational website. The fewer times a user enters
credentials the better. Second, they only send credentials to the organization's
pubcookie servers, never to the individual webservers they are accessing. This
is a far better situation where the trust resides in one place where
accountability can be better managed.

Users in our environment are subject to phishing both with and without pubcookie
but training them to recognize they are talking to the pubcookie server when
entering credentials seems to be less subject to phishing than what we had
without pubcookie.

Thanks for the consideration of this request.

John
Comment 3 Joe Orton 2006-10-17 11:38:29 EDT
Please leave the bugzilla package assignment as-is.  RFEs for new packages are
handled through the "distribution" pseudo-package.
Comment 6 Subhendu Ghosh 2011-01-30 23:02:46 EST
This enhancement request was evaluated by Red Hat Product Management for inclusion a Red Hat Enterprise Linux major release.

Red Hat does not currently plan to provide this enhanced functionality in the next Red Hat Enterprise Linux major release.

Red Hat values your feedback and will take this enhancement request into consideration for future major releases of Red Hat Enterprise Linux.
Comment 7 RHEL Product and Program Management 2011-01-30 23:05:24 EST
Product Management has reviewed and declined this request.  You may appeal this
decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.