[Freeipa-devel] [PATCH] 882 always require SSL in Kerberos block

Martin Kosek mkosek at redhat.com
Mon Sep 26 06:31:00 UTC 2011


On Sun, 2011-09-25 at 23:05 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Fri, 2011-09-23 at 14:12 -0400, Rob Crittenden wrote:
> >> Always require SSL in the Kerberos authorization block.
> >>
> >> This also corrects a slight bug where if add is True then we always
> >> re-update the file.
> >>
> >> rob
> >
> > ACK. Pushed to master, ipa-2-1.
> >
> > Martin
> >
> 
> Sorry guys, this breaks things pretty badly. We need to be able to allow 
> some non-SSL access to parts of /ipa to fetch configuration and return 
> errors, etc. for those clients that don't trust our CA yet.
> 
> Here is a working change, not fully tested yet:
> 
> diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
> index 2339387..09b4b7a 100644
> --- a/install/conf/ipa.conf
> +++ b/install/conf/ipa.conf
> @@ -42,10 +42,17 @@ WSGIScriptReloading Off
>     SetHandler None
>   </Location>
> 
> +# Ensure SSL is enabled in our APIs
> +<Location "/ipa/xml">
> +  NSSRequireSSL
> +</Location>
> +<Location "/ipa/json">
> +  NSSRequireSSL
> +</Location>
> +
> 
>   # Protect /ipa with Kerberos
>   <Location "/ipa">
> -  NSSRequireSSL
>     AuthType Kerberos
>     AuthName "Kerberos Login"
>     KrbMethodNegotiate on
> @@ -114,6 +121,7 @@ Alias /ipa/ui "/usr/share/ipa/ui"
>   # migration related pages
>   Alias /ipa/migration "/usr/share/ipa/migration"
>   <Directory "/usr/share/ipa/migration">
> +    NSSRequireSSL
>       AllowOverride None
>       Satisfy Any
>       Allow from all
> 

Ouch, we can fix it right when you log in. The change looks good, we
will just have to update the conf version in case somebody already
installed this IPA version.

I was also thinking if /crl shouldn't be secured too but from what I
seen in world's common CAs, these are not secured either.

Martin




More information about the Freeipa-devel mailing list