NAME

cosign - The cosign component

DESCRIPTION

Component to configure/start/stop the Cosign Service and also to configure client-side cosign-protected web servers.

RESOURCES

GENERAL CONFIGURATION

user: The user the cosign daemon should run as, defaults to cosign.
group: The group the cosign daemon should run on, defaults to cosign.

COSIGND SERVER-SIDE CONFIGURATION

tool_cosignd: Location of cosignd daemon.
tool_monster: Location of monster daemon.
path_daemon: Location of the cosignd daemon directory, where all cookies are stored. See cosigndb option in cosign.conf(5).
path_ticket: Location where cosign.cgi stores kerberos tickets on successful kerberos logins. See cosignticketcache in cosign.conf(5).
path_tmpldir: Location of templates used by cosign.cgi for generating web pages. See cosigntmpldir in cosign.conf(5).
file_cosignd_crt: Location of the SSL server certificate for use by cosignd. See cosigncert in cosign.conf(5).
file_cosignd_key: Location of SSL key file for use by cosignd. See cosignkey in cosign.conf(5).
path_cosignd_ca: Location of CA certificates in hashed form, used for validating client certificates. See cosigncadir in cosign.conf(5).
dbhashlen: Length of the subdirectory hash used for cosignd's cookie cache. See cosigndbhashlen in cosign.conf(5).
file_keytab: Location of keytab file with principal of cosign/hostname. See cosignkeytab in cosign.conf(5).
replica: The fully qualified hostname of a server to replicate to. This will enable the monster process to do replication and clearout. Note that the cosign.conf(5) man page claims this can be set via the cosignhost option - this is erroneous - the replica is set only by using the -h option to cosignd/monster.
logouturl: The cosign url for logout, defaults to http://SERVER/. See cosignlogouturl in cosign.conf(5).
loopurl: The cosign url on looping, defaults to http://SERVER/looping.html. See cosignloopurl in cosign.conf(5).
timeout: The cosign connection timeout, defaults to 300 seconds. See cosignnettimeout in cosign.conf(5).
cosignd_port: The cosign daemon port, defaults to 6663. See cosignport in cosign.conf(5).
clients: A list of client names, there must be at least one with a role of cgi and corresponding to the server name. The following resources can be specified for each entry in the list. See the cosignd(8) man page for more information.
role_TAG: Role of client which can be cgi or service.
cn_TAG: Subject CN of client, normally fully qualified server name.
flags_TAG: Flags for the client.
proxy_TAG: Reference to proxy configuration file for the client if the flags indicate proxying - these are not currently configurable via this component.
krbtkts: When set to 1, enable the storage of Kerberos tickets for all clients, and the distribution of those tickets to requesting services
negotiate: When set, enable negotiate auth support. This should be set to a string matching the description of the negotiate directive in the cosign.conf(5) man page.
passwd: A list of tags for Cosign passwd entries, which can be used to allow cosign to authenticate against multiple backend databases.
passwdtype_tag: The type of authentication store to use for this password entry. Cosign currently supports either 'kerberos' or 'mysql'.
passwdregex_tag: The regular expression to match login names against to determine whether they should use this authentication store.
passwdlogin_tag: The value to use to lookup the 'username' of a user that matches this regular expression. May contain references to matches in the regular expression.
passwdrealm_tag: The value to set for the realm/factor of users that are authenticated through this entry. May contain references to matches in the regular expression.
clienthosts: List of clients, imported from spanning map, which offer web services protected by this cosignd.

httpd_keytab: The location of the keytab to be used by the HTTP server to authenticate incoming HTTP-Negotiate requests.
httpd_krbname: The name of the principal from the keytab to use to authenticate incoming requests. Leave blank for the default (HTTP@hostname), or set to Any to allow any principal in the keytab to be used.
path_home: Root location of login webserver files.
path_html: Location of html files used by login webserver.
path_cgi: Location of cgi applications used by login webserver.
path_servicestmpl: Location of LCFG template file to be used to dynamically generate web page with list of services protected by this cosign server.

CLIENT-SIDE CONFIGURATION

filteronly: Boolean value, if set to true, component will only configure client-side filter (i.e. no cosignd, etc. server-side setup).
services: Configuration details of the service a client wants to use the cosign server to authenticate against. It is used on the cosign server via an LCFG spanning map. Because of spanning map limitations the service is an encoded group with the syntax cn;flags;proxy;info;url where the first three fields are as described above for the clients resource and as in the cosignd manpage. The client will always default to being a service. The final two fields represent a text description and the URL of the service, to be used when dynamically generating the page listing cosign-enabled services. Note that this resource is somewhat confusingly named as plural, rather than singular - which dates from our original intention to support multiple services per client. This is impractical due to the way the clients are specified in cosign.conf(5).
path_filter: Location used by client-side filter for storing cosign cookies.
client_serverroot: Location of apache server root.
client_factor: A list of factors that a user must satisfy. Used by CosignRequireFactor directive in apache configuration.
client_reconfigure: Name of component to configure when cosign configuration has changed.
servicename: Unique service name used by client application service. Maps to CosignService directive in apache configuration.
server: The fully qualified hostname of the cosign server. Used by CosignHostname in apache configuration.
cgiserver: The fully qualified hostname of the login CGI server. Used by CosignRedirect and CosignPostErrorRedirect in apache configuration.
file_filter_crt: Location of SSL server certificate used by client. Used by CosignCrypto directive in apache configuration.
file_filter_key: Location of SSL key file used by client. Used by CosignCrypto directive in apache configuration.
path_filter_ca: Location of CA certificates in hashed form. Used by CosignCrypto directive in apache configuration.

SPANNING MAP RESOURCES

The cosign component publishes and subscribes to a spanning map. This distributes the list of clients and services allowed to connect to the cosign server.

importcluster

exportcluster

Names of the spanning map for a client to publish to and for server to retrieve the set of clients and services from.

PLATFORMS

Fedora5

AUTHOR

Tim Colles <timc@inf.ed.ac.uk>, George Ross <gdmr@inf.ed.ac.uk>, Toby Blake <toby@inf.ed.ac.uk>, Simon Wilkinson <simon@sxw.org.uk>

POD ERRORS

Hey! The above document had some coding errors, which are explained below:

Around line 14:: You forgot a '=back' before '=head2'
Around line 16:: '=item' outside of any '=over'
Around line 24:: You forgot a '=back' before '=head2'
Around line 26:: '=item' outside of any '=over'
Around line 170:: You forgot a '=back' before '=head2'
Around line 172:: '=item' outside of any '=over'
Around line 200:: You forgot a '=back' before '=head2'
Around line 202:: '=item' outside of any '=over'
Around line 275:: You can't have =items (as at line 281) unless the first thing after the =over is an =item