I've implemented basic support for Kerberos (ie: SSO) auth in Cockpit.
I'll be working on polishing this further, and I don't think it's ready for merge. But I did get kerberos authentication working against my FreeIPA instance. Happiness.
Needs unit tests, and needs documentation. I won't pretend it's ready for general consumption. Doesn't yet use the kerberos credentials to connect out to other servers. Not tested with gss-proxy.
One thing of note, is that we need to handle unauthorized responses at the HTTP level. Currently for /socket we respond with a JSON message when the cookie has expired. However this won't work for kerberos, as the client needs proper headers, and can/should re-authenticate right then and there. I haven't fully tested out the implications of this change, and we may need to tweak this further.
There's also some refactoring of the CockpitAuth and credential code.
Available on my wip/gssapi-auth github branch for the morbidly curious.
https://github.com/stefwalter/cockpit/tree/wip/gssapi-auth
Cheers,
Stef
cockpit-devel@lists.fedorahosted.org