On Sun, 2011-09-25 at 23:05 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2011-09-23 at 14:12 -0400, Rob Crittenden wrote: > >> Always require SSL in the Kerberos authorization block. > >> > >> This also corrects a slight bug where if add is True then we always > >> re-update the file. > >> > >> rob > > > > ACK. Pushed to master, ipa-2-1. > > > > Martin > > > > Sorry guys, this breaks things pretty badly. We need to be able to allow > some non-SSL access to parts of /ipa to fetch configuration and return > errors, etc. for those clients that don't trust our CA yet. > > Here is a working change, not fully tested yet: > > diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf > index 2339387..09b4b7a 100644 > --- a/install/conf/ipa.conf > +++ b/install/conf/ipa.conf > @@ -42,10 +42,17 @@ WSGIScriptReloading Off > SetHandler None > </Location> > > +# Ensure SSL is enabled in our APIs > +<Location "/ipa/xml"> > + NSSRequireSSL > +</Location> > +<Location "/ipa/json"> > + NSSRequireSSL > +</Location> > + > > # Protect /ipa with Kerberos > <Location "/ipa"> > - NSSRequireSSL > AuthType Kerberos > AuthName "Kerberos Login" > KrbMethodNegotiate on > @@ -114,6 +121,7 @@ Alias /ipa/ui "/usr/share/ipa/ui" > # migration related pages > Alias /ipa/migration "/usr/share/ipa/migration" > <Directory "/usr/share/ipa/migration"> > + NSSRequireSSL > AllowOverride None > Satisfy Any > Allow from all >
Ouch, we can fix it right when you log in. The change looks good, we will just have to update the conf version in case somebody already installed this IPA version. I was also thinking if /crl shouldn't be secured too but from what I seen in world's common CAs, these are not secured either. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel