[Freeipa-users] disable forms-based login
Stephen Ingram
sbingram at gmail.com
Tue Jul 23 00:27:13 UTC 2013
On Mon, Jul 22, 2013 at 9:29 AM, Simo Sorce <simo at redhat.com> wrote:
> On Mon, 2013-07-22 at 09:23 -0700, Stephen Ingram wrote:
> > On Mon, Jul 22, 2013 at 12:18 AM, Martin Kosek <mkosek at redhat.com>
> > wrote:
> > On 07/20/2013 02:51 AM, Stephen Ingram wrote:
> > > Is there a way to disable the forms-based login to the WebUI
> > and require a
> > > Kerberos ticket?
> > >
> > > Steve
> >
> >
> > Hello,
> >
> > No, this is currently not possible. Stephen, can you please
> > describe your use
> > case why you want it to be off? This would allow us to
> > consider this as an
> > enhancement for future.
> >
> >
> > I certainly understand why the feature was added as many devices do
> > not have the capability of acquiring a Kerberos ticket. If we want to
> > restrict access to devices that *can* acquire a ticket, this would
> > prevent credentials from being sent over the wire (even if over a
> > secure link), and, thus, provide for increased security. If I'm
> > correct about how this form works, it only requires credentials to be
> > sent once and then it requests a ticket on the user's behalf. While
> > this is better than sending them with each request, it still presents
> > an opportunity where credentials can be intercepted, no?
>
> Your's is a valid concern.
> Please open a RFE ticket to make the form-based login page/mechanism
> disableable.
>
Done. Ticket #3810.
Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130722/bf39b236/attachment.htm>
More information about the Freeipa-users
mailing list