[Freeipa-devel] [PATCH] 299 request certs for other hosts
Simo Sorce
ssorce at redhat.com
Tue Oct 20 22:31:47 UTC 2009
On Tue, 2009-10-20 at 12:02 -0400, Rob Crittenden wrote:
> First pass at enforcing certificates be requested from same host
>
> We want to only allow a machine to request a certificate for itself, not
> for other machines. I've added a new taksgroup which will allow this.
>
> The requesting IP is resolved and compared to the subject of the CSR to
> determine if they are the same host. The same is done with the service
> principal. Subject alt names are not queried yet.
Why do you check the IP address?
That would prevent any machine behind a NAT to work.
It also doesn't work if the DNS doesn't resolve PTR addresses.
Finally it doesn't really grant you who made the request (any user on
that machine will come from the same IP address.
I'd think you use the kerberos principal name you can find in the
authentication ticket of the machine to determine what machine is
contacting you.
So for me this is a NACK (I know Jason acked and pushed, up to you
whether to revert or just patch on top to remove the DNS checks).
Simo.
More information about the Freeipa-devel
mailing list