[Freeipa-devel] [PATCH] 882 always require SSL in Kerberos block
Simo Sorce
simo at redhat.com
Tue Sep 27 12:57:51 UTC 2011
On Tue, 2011-09-27 at 08:58 +0200, Martin Kosek wrote:
> On Mon, 2011-09-26 at 21:07 -0400, Rob Crittenden wrote:
> > Martin Kosek wrote:
> > > On Mon, 2011-09-26 at 08:54 -0400, Rob Crittenden wrote:
> > >> Simo Sorce wrote:
> > >>> On Mon, 2011-09-26 at 11:22 +0200, Martin Kosek wrote:
> > >>>> IPA server, client and replica installation and WebUI worked for me.
> > >>>
> > >>> This patch seems to defeat the purpose as we are still allowing krb auth
> > >>> on locations that do not enforce ssl.
> > >>>
> > >>> NACK.
> > >>>
> > >>> Simo.
> > >>>
> > >>
> > >> Simo's concern is that if you enable the fake basic auth and go to an
> > >> HTTP page you could expose your credentials. Probably worth testing with
> > >> something like the LiveHTTPHeaders extension. Go to the webui then grab
> > >> the CA or something in /ipa/config and see if it sends the Authorized
> > >> header.
> > >
> > > I checked headers with LiveHTTPHeaders when
> > > requesting /ipa/config/ca.crt and saw Authorization header with user:pwd
> > > sent only when accessing it via https.
> > >
> > >>
> > >> The only other solution I see is to duplicate the krb block for each of
> > >> our three authenticated uris: /ipa/ui, /ipa/xml and /ipa/json.
> > >>
> > >> rob
> > >
> > > I guess this can be done, I would rather let someone with stronger
> > > apache-fu than me do the change.
> > >
> > > Martin
> > >
> >
> > I think this patch should be reverted for now while we work on a better
> > solution (if it hasn't already).
> >
> > rob
>
> I reverted the patch in both master and ipa-2-1.
Thanks Martin.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list