[Freeipa-devel] [PATCH] 882 always require SSL in Kerberos block

Rob Crittenden rcritten at redhat.com
Tue Sep 27 01:07:57 UTC 2011


Martin Kosek wrote:
> On Mon, 2011-09-26 at 08:54 -0400, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Mon, 2011-09-26 at 11:22 +0200, Martin Kosek wrote:
>>>> IPA server, client and replica installation and WebUI worked for me.
>>>
>>> This patch seems to defeat the purpose as we are still allowing krb auth
>>> on locations that do not enforce ssl.
>>>
>>> NACK.
>>>
>>> Simo.
>>>
>>
>> Simo's concern is that if you enable the fake basic auth and go to an
>> HTTP page you could expose your credentials. Probably worth testing with
>> something like the LiveHTTPHeaders extension. Go to the webui then grab
>> the CA or something in /ipa/config and see if it sends the Authorized
>> header.
>
> I checked headers with LiveHTTPHeaders when
> requesting /ipa/config/ca.crt and saw Authorization header with user:pwd
> sent only when accessing it via https.
>
>>
>> The only other solution I see is to duplicate the krb block for each of
>> our three authenticated uris: /ipa/ui, /ipa/xml and /ipa/json.
>>
>> rob
>
> I guess this can be done, I would rather let someone with stronger
> apache-fu than me do the change.
>
> Martin
>

I think this patch should be reverted for now while we work on a better 
solution (if it hasn't already).

rob




More information about the Freeipa-devel mailing list