ISO login: Difference between revisions

← Older edit

ISO login (view source)

Revision as of 16:01, 6 September 2005

111 bytes added , 6 September 2005

no edit summary

Jon787

hacker

119

edits

Revision as of 03:14, 15 April 2005 (view source) Techieb0y (talk \| contribs) No edit summary ← Older edit		Latest revision as of 16:01, 6 September 2005 (view source) Jon787 (talk \| contribs) No edit summary
(One intermediate revision by one other user not shown)
The ISO Login isSystem, aformerly Campus ~~page~~Password, at(see http://www.login.mtu.edu/ ~~that~~) gives you a cookie that allows websites all over MTU to authenticate you. This system generates an x509 certificate signed by MTU's [http://www.login.mtu.edu/downloads/public/mtuca.crt CA] certificate]. The certificate expires 8 hours after you login and contains only your username, not your password. Around the begining of the Spring 2005 semester [[User:Jon787\|Jon DeVree]] and [[User:Dark-Fx\|Brian McPherson]] found a flaw in the system that allowed any self-signed certificate to be authenticate by the system. This allowed them to generate cookies that expired in years instead of hours and even cookies that were for other users. They utilized this to create phony users like [[EERC_Tree]], and vanity userids for [[User:Dark-Fx\|Dark-Fx]] and [[User:xobes\|xobes]] on the [[Barkboard\|Barkboards]]. DCS fixed the flaw shortly after Jon and Brian reported it. As of the end of August 2005 the old login system has been completely replaced by a newer and more secure version that resembles an attempt to implement kerberos with cookies. ~~The ISO login system is currently being upgraded to resemble something closer to Kerberos.~~ [http://www.login.mtu.edu/docs/public/mtuiso/ ISO Documentation]