On Apr 9, 2008, at 11:20 AM, Jeff Siarto wrote:
> Sentinel authentication already uses ssl when the user is prompted for
> an MSU NetID and password. If the app is using the service correctly,
> it should take them to login.msu.edu (which is secure), authenticate
> them and then send them back to the application with the proper
> credentials. All this is done securely and it shouldn't matter if the
> application itself is hosted under ssl. As far as I know, after the
> initial authentication no other personal data is sent via insecure
> methods. Are my assumptions wrong?
Sentinel uses MSU's Kerberos KDC (afsdb0.cl.msu.edu, run by ATS staff)
as it's actual authentication mechanism. I'm assuming what Tom is
referring to is a site that uses either native kerberos or pam_imap or
some other hackery to use a person's NetID and password to
authenticate them. In almost all likelihood, sentinel has nothing to
do with this.
This being the case, the password is *handled* by the 3rd party
application, which is exactly what I'm recommending avoiding.
./mk
--
Matt Kolb <[log in to unmask]>
Academic Technology Services
Michigan State University
|