On Mon, 2011-09-26 at 21:07 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-09-26 at 08:54 -0400, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> On Mon, 2011-09-26 at 11:22 +0200, Martin Kosek wrote: > >>>> IPA server, client and replica installation and WebUI worked for me. > >>> > >>> This patch seems to defeat the purpose as we are still allowing krb auth > >>> on locations that do not enforce ssl. > >>> > >>> NACK. > >>> > >>> Simo. > >>> > >> > >> Simo's concern is that if you enable the fake basic auth and go to an > >> HTTP page you could expose your credentials. Probably worth testing with > >> something like the LiveHTTPHeaders extension. Go to the webui then grab > >> the CA or something in /ipa/config and see if it sends the Authorized > >> header. > > > > I checked headers with LiveHTTPHeaders when > > requesting /ipa/config/ca.crt and saw Authorization header with user:pwd > > sent only when accessing it via https. > > > >> > >> The only other solution I see is to duplicate the krb block for each of > >> our three authenticated uris: /ipa/ui, /ipa/xml and /ipa/json. > >> > >> rob > > > > I guess this can be done, I would rather let someone with stronger > > apache-fu than me do the change. > > > > Martin > > > > I think this patch should be reverted for now while we work on a better > solution (if it hasn't already). > > rob
I reverted the patch in both master and ipa-2-1. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel