On Tue, 2009-10-20 at 12:02 -0400, Rob Crittenden wrote: > First pass at enforcing certificates be requested from same host > > We want to only allow a machine to request a certificate for itself, not > for other machines. I've added a new taksgroup which will allow this. > > The requesting IP is resolved and compared to the subject of the CSR to > determine if they are the same host. The same is done with the service > principal. Subject alt names are not queried yet.
Why do you check the IP address? That would prevent any machine behind a NAT to work. It also doesn't work if the DNS doesn't resolve PTR addresses. Finally it doesn't really grant you who made the request (any user on that machine will come from the same IP address. I'd think you use the kerberos principal name you can find in the authentication ticket of the machine to determine what machine is contacting you. So for me this is a NACK (I know Jason acked and pushed, up to you whether to revert or just patch on top to remove the DNS checks). Simo. _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel