On Mon, Jul 22, 2013 at 9:29 AM, Simo Sorce <s...@redhat.com> wrote: > On Mon, 2013-07-22 at 09:23 -0700, Stephen Ingram wrote: > > On Mon, Jul 22, 2013 at 12:18 AM, Martin Kosek <mko...@redhat.com> > > wrote: > > On 07/20/2013 02:51 AM, Stephen Ingram wrote: > > > Is there a way to disable the forms-based login to the WebUI > > and require a > > > Kerberos ticket? > > > > > > Steve > > > > > > Hello, > > > > No, this is currently not possible. Stephen, can you please > > describe your use > > case why you want it to be off? This would allow us to > > consider this as an > > enhancement for future. > > > > > > I certainly understand why the feature was added as many devices do > > not have the capability of acquiring a Kerberos ticket. If we want to > > restrict access to devices that *can* acquire a ticket, this would > > prevent credentials from being sent over the wire (even if over a > > secure link), and, thus, provide for increased security. If I'm > > correct about how this form works, it only requires credentials to be > > sent once and then it requests a ticket on the user's behalf. While > > this is better than sending them with each request, it still presents > > an opportunity where credentials can be intercepted, no? > > Your's is a valid concern. > Please open a RFE ticket to make the form-based login page/mechanism > disableable. >
Done. Ticket #3810. Steve
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users