On Mon, Jul 22, 2013 at 12:18 AM, Martin Kosek <mko...@redhat.com> wrote:

> On 07/20/2013 02:51 AM, Stephen Ingram wrote:
> > Is there a way to disable the forms-based login to the WebUI and require
> a
> > Kerberos ticket?
> >
> > Steve
> Hello,
> No, this is currently not possible. Stephen, can you please describe your
> use
> case why you want it to be off? This would allow us to consider this as an
> enhancement for future.

I certainly understand why the feature was added as many devices do not
have the capability of acquiring a Kerberos ticket. If we want to restrict
access to devices that *can* acquire a ticket, this would prevent
credentials from being sent over the wire (even if over a secure link),
and, thus, provide for increased security. If I'm correct about how this
form works, it only requires credentials to be sent once and then it
requests a ticket on the user's behalf. While this is better than sending
them with each request, it still presents an opportunity where credentials
can be intercepted, no?

Freeipa-users mailing list

Reply via email to