[Freeipa-devel] [PATCH] 882 always require SSL in Kerberos block

Rob Crittenden rcritten at redhat.com
Mon Sep 26 12:54:28 UTC 2011 

Simo Sorce wrote:
> On Mon, 2011-09-26 at 11:22 +0200, Martin Kosek wrote:
>> On Mon, 2011-09-26 at 08:31 +0200, Martin Kosek wrote:
>>> On Sun, 2011-09-25 at 23:05 -0400, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>>>> On Fri, 2011-09-23 at 14:12 -0400, Rob Crittenden wrote:
>>>>>> Always require SSL in the Kerberos authorization block.
>>>>>>
>>>>>> This also corrects a slight bug where if add is True then we always
>>>>>> re-update the file.
>>>>>>
>>>>>> rob
>>>>>
>>>>> ACK. Pushed to master, ipa-2-1.
>>>>>
>>>>> Martin
>>>>>
>>>>
>>>> Sorry guys, this breaks things pretty badly. We need to be able to allow
>>>> some non-SSL access to parts of /ipa to fetch configuration and return
>>>> errors, etc. for those clients that don't trust our CA yet.
>>>>
>>>> Here is a working change, not fully tested yet:
>>>>
>>>> diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
>>>> index 2339387..09b4b7a 100644
>>>> --- a/install/conf/ipa.conf
>>>> +++ b/install/conf/ipa.conf
>>>> @@ -42,10 +42,17 @@ WSGIScriptReloading Off
>>>>      SetHandler None
>>>>    </Location>
>>>>
>>>> +# Ensure SSL is enabled in our APIs
>>>> +<Location "/ipa/xml">
>>>> +  NSSRequireSSL
>>>> +</Location>
>>>> +<Location "/ipa/json">
>>>> +  NSSRequireSSL
>>>> +</Location>
>>>> +
>>>>
>>>>    # Protect /ipa with Kerberos
>>>>    <Location "/ipa">
>>>> -  NSSRequireSSL
>>>>      AuthType Kerberos
>>>>      AuthName "Kerberos Login"
>>>>      KrbMethodNegotiate on
>>>> @@ -114,6 +121,7 @@ Alias /ipa/ui "/usr/share/ipa/ui"
>>>>    # migration related pages
>>>>    Alias /ipa/migration "/usr/share/ipa/migration"
>>>>    <Directory "/usr/share/ipa/migration">
>>>> +    NSSRequireSSL
>>>>        AllowOverride None
>>>>        Satisfy Any
>>>>        Allow from all
>>>>
>>>
>>> Ouch, we can fix it right when you log in. The change looks good, we
>>> will just have to update the conf version in case somebody already
>>> installed this IPA version.
>>>
>>> I was also thinking if /crl shouldn't be secured too but from what I
>>> seen in world's common CAs, these are not secured either.
>>>
>>> Martin
>>>
>>
>> Since Rob may not be here today, and since I think this should be fixed
>> fast, I am sending the patch based on Rob's mail. I just bumped config
>> file version so that it is updated for configured IPA instances.
>>
>> IPA server, client and replica installation and WebUI worked for me.
>
> This patch seems to defeat the purpose as we are still allowing krb auth
> on locations that do not enforce ssl.
>
> NACK.
>
> Simo.
>

Simo's concern is that if you enable the fake basic auth and go to an 
HTTP page you could expose your credentials. Probably worth testing with 
something like the LiveHTTPHeaders extension. Go to the webui then grab 
the CA or something in /ipa/config and see if it sends the Authorized 
header.

The only other solution I see is to duplicate the krb block for each of 
our three authenticated uris: /ipa/ui, /ipa/xml and /ipa/json.

rob

More information about the Freeipa-devel mailing list