[Freeipa-devel] [PATCH] 882 always require SSL in Kerberos block
Martin Kosek
mkosek at redhat.com
Mon Sep 26 13:55:49 UTC 2011
On Mon, 2011-09-26 at 08:54 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Mon, 2011-09-26 at 11:22 +0200, Martin Kosek wrote:
> >> IPA server, client and replica installation and WebUI worked for me.
> >
> > This patch seems to defeat the purpose as we are still allowing krb auth
> > on locations that do not enforce ssl.
> >
> > NACK.
> >
> > Simo.
> >
>
> Simo's concern is that if you enable the fake basic auth and go to an
> HTTP page you could expose your credentials. Probably worth testing with
> something like the LiveHTTPHeaders extension. Go to the webui then grab
> the CA or something in /ipa/config and see if it sends the Authorized
> header.
I checked headers with LiveHTTPHeaders when
requesting /ipa/config/ca.crt and saw Authorization header with user:pwd
sent only when accessing it via https.
>
> The only other solution I see is to duplicate the krb block for each of
> our three authenticated uris: /ipa/ui, /ipa/xml and /ipa/json.
>
> rob
I guess this can be done, I would rather let someone with stronger
apache-fu than me do the change.
Martin
More information about the Freeipa-devel
mailing list