[Freeipa-devel] [PATCH] 882 always require SSL in Kerberos block

Martin Kosek mkosek at redhat.com
Mon Sep 26 09:22:28 UTC 2011


On Mon, 2011-09-26 at 08:31 +0200, Martin Kosek wrote:
> On Sun, 2011-09-25 at 23:05 -0400, Rob Crittenden wrote:
> > Martin Kosek wrote:
> > > On Fri, 2011-09-23 at 14:12 -0400, Rob Crittenden wrote:
> > >> Always require SSL in the Kerberos authorization block.
> > >>
> > >> This also corrects a slight bug where if add is True then we always
> > >> re-update the file.
> > >>
> > >> rob
> > >
> > > ACK. Pushed to master, ipa-2-1.
> > >
> > > Martin
> > >
> > 
> > Sorry guys, this breaks things pretty badly. We need to be able to allow 
> > some non-SSL access to parts of /ipa to fetch configuration and return 
> > errors, etc. for those clients that don't trust our CA yet.
> > 
> > Here is a working change, not fully tested yet:
> > 
> > diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
> > index 2339387..09b4b7a 100644
> > --- a/install/conf/ipa.conf
> > +++ b/install/conf/ipa.conf
> > @@ -42,10 +42,17 @@ WSGIScriptReloading Off
> >     SetHandler None
> >   </Location>
> > 
> > +# Ensure SSL is enabled in our APIs
> > +<Location "/ipa/xml">
> > +  NSSRequireSSL
> > +</Location>
> > +<Location "/ipa/json">
> > +  NSSRequireSSL
> > +</Location>
> > +
> > 
> >   # Protect /ipa with Kerberos
> >   <Location "/ipa">
> > -  NSSRequireSSL
> >     AuthType Kerberos
> >     AuthName "Kerberos Login"
> >     KrbMethodNegotiate on
> > @@ -114,6 +121,7 @@ Alias /ipa/ui "/usr/share/ipa/ui"
> >   # migration related pages
> >   Alias /ipa/migration "/usr/share/ipa/migration"
> >   <Directory "/usr/share/ipa/migration">
> > +    NSSRequireSSL
> >       AllowOverride None
> >       Satisfy Any
> >       Allow from all
> > 
> 
> Ouch, we can fix it right when you log in. The change looks good, we
> will just have to update the conf version in case somebody already
> installed this IPA version.
> 
> I was also thinking if /crl shouldn't be secured too but from what I
> seen in world's common CAs, these are not secured either.
> 
> Martin
> 

Since Rob may not be here today, and since I think this should be fixed
fast, I am sending the patch based on Rob's mail. I just bumped config
file version so that it is updated for configured IPA instances.

IPA server, client and replica installation and WebUI worked for me.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-127-nssrequiressl-should-not-be-required-for-entire-ipa.patch
Type: text/x-patch
Size: 1420 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110926/b76b8add/attachment.bin>


More information about the Freeipa-devel mailing list