URL: https://github.com/freeipa/freeipa/pull/855 Author: simo5 Title: #855: Prevent issues with older clients Action: opened
PR body: """ Older clients have issues parsing cookies, and cannot handle well the MaxAge setting. So the first patch is about removing it. Unfortunately this means cookies will be valid for the duration of the authentication ticket which is set to 24h by default. This is a bit high, so the second patch adds the ability to set the "kinit_lifetime" in /etc/api/default.conf so that users authenticating using username/password can have their tickets (and therefore their session) hard capped at whatever lifetime is set there. Users that use HTTP negotiate can control their session duration by getting shorter lived tickets via kinit. In all cases users can click on the logout button to blow away credentials. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/855/head:pr855 git checkout pr855
From f0a57d5b9b17331d4bf277ff28718b42c66460b9 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 5 Jun 2017 09:50:22 -0400 Subject: [PATCH 1/2] Add code to be able to set default kinit lifetime This is done by setting the kinit_lifetime option in default.conf to a value that can be passed in with the -l option syntax of kinit. https://pagure.io/freeipa/issue/6774 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipalib/constants.py | 1 + ipalib/install/kinit.py | 5 ++++- ipaserver/rpcserver.py | 3 ++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 5279b64789..ab466bab7f 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -155,6 +155,7 @@ ('session_auth_duration', '20 minutes'), # How a session expiration is computed, see SessionManager.set_session_expiration_time() ('session_duration_type', 'inactivity_timeout'), + ('kinit_lifetime', None), # Debugging: ('verbose', 0), diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py index 73471f103e..91ea5132aa 100644 --- a/ipalib/install/kinit.py +++ b/ipalib/install/kinit.py @@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): def kinit_password(principal, password, ccache_name, config=None, armor_ccache_name=None, canonicalize=False, - enterprise=False): + enterprise=False, lifetime=None): """ perform interactive kinit as principal using password. If using FAST for web-based authentication, use armor_ccache_path to specify http service @@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None, % armor_ccache_name) args.extend(['-T', armor_ccache_name]) + if lifetime: + args.extend(['-l', lifetime]) + if canonicalize: root_logger.debug("Requesting principal canonicalization") args.append('-C') diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 32f286148b..2990df2598 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -969,7 +969,8 @@ def kinit(self, principal, password, ccache_name): password, ccache_name, armor_ccache_name=armor_path, - enterprise=True) + enterprise=True, + lifetime=self.api.env.kinit_lifetime) if armor_path: self.debug('Cleanup the armor ccache') From 969ed06cec5aa8efe8164899fbb73ff26f96b944 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Tue, 6 Jun 2017 09:04:58 -0400 Subject: [PATCH 2/2] Revert setting sessionMaxAge for old clients Older clients have issues properly parsing cookies and the sessionMaxAge setting is one of those that breaks them. Comment out the setting and add a comment that explains why it is not set by default. https://pagure.io/freeipa/issue/6774 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/conf/ipa.conf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index a7ca5ce715..01bf9a4f97 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 26 - DO NOT REMOVE THIS LINE +# VERSION 27 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -77,7 +77,9 @@ WSGIScriptReloading Off Session On SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION - SessionMaxAge 1800 + # Uncomment the following to have shorter sessions, but beware this may break + # old IPA client tols that incorrectly parse cookies. + # SessionMaxAge 1800 GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiImpersonate On
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
