[Freeipa-devel] [PATCH] 882 always require SSL in Kerberos block
Martin Kosek
mkosek at redhat.com
Mon Sep 26 09:22:28 UTC 2011
On Mon, 2011-09-26 at 08:31 +0200, Martin Kosek wrote:
> On Sun, 2011-09-25 at 23:05 -0400, Rob Crittenden wrote:
> > Martin Kosek wrote:
> > > On Fri, 2011-09-23 at 14:12 -0400, Rob Crittenden wrote:
> > >> Always require SSL in the Kerberos authorization block.
> > >>
> > >> This also corrects a slight bug where if add is True then we always
> > >> re-update the file.
> > >>
> > >> rob
> > >
> > > ACK. Pushed to master, ipa-2-1.
> > >
> > > Martin
> > >
> >
> > Sorry guys, this breaks things pretty badly. We need to be able to allow
> > some non-SSL access to parts of /ipa to fetch configuration and return
> > errors, etc. for those clients that don't trust our CA yet.
> >
> > Here is a working change, not fully tested yet:
> >
> > diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
> > index 2339387..09b4b7a 100644
> > --- a/install/conf/ipa.conf
> > +++ b/install/conf/ipa.conf
> > @@ -42,10 +42,17 @@ WSGIScriptReloading Off
> > SetHandler None
> > </Location>
> >
> > +# Ensure SSL is enabled in our APIs
> > +<Location "/ipa/xml">
> > + NSSRequireSSL
> > +</Location>
> > +<Location "/ipa/json">
> > + NSSRequireSSL
> > +</Location>
> > +
> >
> > # Protect /ipa with Kerberos
> > <Location "/ipa">
> > - NSSRequireSSL
> > AuthType Kerberos
> > AuthName "Kerberos Login"
> > KrbMethodNegotiate on
> > @@ -114,6 +121,7 @@ Alias /ipa/ui "/usr/share/ipa/ui"
> > # migration related pages
> > Alias /ipa/migration "/usr/share/ipa/migration"
> > <Directory "/usr/share/ipa/migration">
> > + NSSRequireSSL
> > AllowOverride None
> > Satisfy Any
> > Allow from all
> >
>
> Ouch, we can fix it right when you log in. The change looks good, we
> will just have to update the conf version in case somebody already
> installed this IPA version.
>
> I was also thinking if /crl shouldn't be secured too but from what I
> seen in world's common CAs, these are not secured either.
>
> Martin
>
Since Rob may not be here today, and since I think this should be fixed
fast, I am sending the patch based on Rob's mail. I just bumped config
file version so that it is updated for configured IPA instances.
IPA server, client and replica installation and WebUI worked for me.
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-127-nssrequiressl-should-not-be-required-for-entire-ipa.patch
Type: text/x-patch
Size: 1420 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110926/b76b8add/attachment.bin>
More information about the Freeipa-devel
mailing list