[Freeipa-devel] [PATCH] 882 always require SSL in Kerberos block

Simo Sorce simo at redhat.com
Mon Sep 26 11:53:32 UTC 2011 

On Mon, 2011-09-26 at 11:22 +0200, Martin Kosek wrote:
> On Mon, 2011-09-26 at 08:31 +0200, Martin Kosek wrote:
> > On Sun, 2011-09-25 at 23:05 -0400, Rob Crittenden wrote:
> > > Martin Kosek wrote:
> > > > On Fri, 2011-09-23 at 14:12 -0400, Rob Crittenden wrote:
> > > >> Always require SSL in the Kerberos authorization block.
> > > >>
> > > >> This also corrects a slight bug where if add is True then we always
> > > >> re-update the file.
> > > >>
> > > >> rob
> > > >
> > > > ACK. Pushed to master, ipa-2-1.
> > > >
> > > > Martin
> > > >
> > > 
> > > Sorry guys, this breaks things pretty badly. We need to be able to allow 
> > > some non-SSL access to parts of /ipa to fetch configuration and return 
> > > errors, etc. for those clients that don't trust our CA yet.
> > > 
> > > Here is a working change, not fully tested yet:
> > > 
> > > diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
> > > index 2339387..09b4b7a 100644
> > > --- a/install/conf/ipa.conf
> > > +++ b/install/conf/ipa.conf
> > > @@ -42,10 +42,17 @@ WSGIScriptReloading Off
> > >     SetHandler None
> > >   </Location>
> > > 
> > > +# Ensure SSL is enabled in our APIs
> > > +<Location "/ipa/xml">
> > > +  NSSRequireSSL
> > > +</Location>
> > > +<Location "/ipa/json">
> > > +  NSSRequireSSL
> > > +</Location>
> > > +
> > > 
> > >   # Protect /ipa with Kerberos
> > >   <Location "/ipa">
> > > -  NSSRequireSSL
> > >     AuthType Kerberos
> > >     AuthName "Kerberos Login"
> > >     KrbMethodNegotiate on
> > > @@ -114,6 +121,7 @@ Alias /ipa/ui "/usr/share/ipa/ui"
> > >   # migration related pages
> > >   Alias /ipa/migration "/usr/share/ipa/migration"
> > >   <Directory "/usr/share/ipa/migration">
> > > +    NSSRequireSSL
> > >       AllowOverride None
> > >       Satisfy Any
> > >       Allow from all
> > > 
> > 
> > Ouch, we can fix it right when you log in. The change looks good, we
> > will just have to update the conf version in case somebody already
> > installed this IPA version.
> > 
> > I was also thinking if /crl shouldn't be secured too but from what I
> > seen in world's common CAs, these are not secured either.
> > 
> > Martin
> > 
> 
> Since Rob may not be here today, and since I think this should be fixed
> fast, I am sending the patch based on Rob's mail. I just bumped config
> file version so that it is updated for configured IPA instances.
> 
> IPA server, client and replica installation and WebUI worked for me.

This patch seems to defeat the purpose as we are still allowing krb auth
on locations that do not enforce ssl.

NACK.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list