On Tue, 2011-09-27 at 08:58 +0200, Martin Kosek wrote: > On Mon, 2011-09-26 at 21:07 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > > > On Mon, 2011-09-26 at 08:54 -0400, Rob Crittenden wrote: > > >> Simo Sorce wrote: > > >>> On Mon, 2011-09-26 at 11:22 +0200, Martin Kosek wrote: > > >>>> IPA server, client and replica installation and WebUI worked for me. > > >>> > > >>> This patch seems to defeat the purpose as we are still allowing krb auth > > >>> on locations that do not enforce ssl. > > >>> > > >>> NACK. > > >>> > > >>> Simo. > > >>> > > >> > > >> Simo's concern is that if you enable the fake basic auth and go to an > > >> HTTP page you could expose your credentials. Probably worth testing with > > >> something like the LiveHTTPHeaders extension. Go to the webui then grab > > >> the CA or something in /ipa/config and see if it sends the Authorized > > >> header. > > > > > > I checked headers with LiveHTTPHeaders when > > > requesting /ipa/config/ca.crt and saw Authorization header with user:pwd > > > sent only when accessing it via https. > > > > > >> > > >> The only other solution I see is to duplicate the krb block for each of > > >> our three authenticated uris: /ipa/ui, /ipa/xml and /ipa/json. > > >> > > >> rob > > > > > > I guess this can be done, I would rather let someone with stronger > > > apache-fu than me do the change. > > > > > > Martin > > > > > > > I think this patch should be reverted for now while we work on a better > > solution (if it hasn't already). > > > > rob > > I reverted the patch in both master and ipa-2-1.
Thanks Martin. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
