By default mod_auth_gssapi allows all locally available mechanisms. If the gssntlmssp package is installed, it also offers ntlmssp. This has the annoying side effect that some browser will pop up a username/password request dialog if no Krb5 credentials are available.
The patch restricts the mechanism to krb5 and removes ntlmssp and iakerb support from Apache's ipa.conf. The new feature was added to mod_auth_gssapi 1.3.0. https://fedorahosted.org/freeipa/ticket/5114
From 758fd87a9e8a72412a9e3111e1564a4d875fec07 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Fri, 17 Jul 2015 12:40:29 +0200 Subject: [PATCH] mod_auth_gssapi: Remove ntlmssp support and restrict mechanism to krb5 By default mod_auth_gssapi allows all locally available mechanisms. If the gssntlmssp package is installed, it also offers ntlmssp. This has the annoying side effect that some browser will pop up a username/password request dialog if no Krb5 credentials are available. The patch restricts the mechanism to krb5 and removes ntlmssp and iakerb support from Apache's ipa.conf. The new feature was added to mod_auth_gssapi 1.3.0. https://fedorahosted.org/freeipa/ticket/5114 --- freeipa.spec.in | 2 +- install/conf/ipa.conf | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fef20e1f7e6fde9b90851a2686e515a6a779f954..5771ae5792c1c83dedff9bc3d1acb78b4b119e8d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -127,7 +127,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-6 Requires: mod_wsgi -Requires: mod_auth_gssapi >= 1.1.0-2 +Requires: mod_auth_gssapi >= 1.3.0-2 Requires: mod_nss >= 1.0.8-26 Requires: python-ldap >= 2.4.15 Requires: python-krbV diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index e2b602c8573078f517badac00a8c8c5bd593db28..44d87b192e1076398c5008b0a5788afb3bc7c117 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -66,6 +66,7 @@ WSGIScriptReloading Off GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches GssapiUseS4U2Proxy on + GssapiAllowedMech krb5 Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html WSGIProcessGroup ipa -- 2.4.3
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
