freeipa

Clone
Source Code
GIT

#6876 GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA
Closed: fixed 6 years ago Opened 7 years ago by cheimes.

Closed: fixed
Reopen Issue

KerberosSession.finalize_kerberos_acquisition() uses requests to interact with IPA. The request.get() call performs a HTTP GET over HTTPS but fails to use FreeIPA's private CA file.

From discussion with @cheimes , this part of code doesn't use the same cert store as other places. There it may potentially cause issues e.g. in setup with External CA (CLI or Web UI login).

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1445397
6 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1445397
6 years ago

Issue linked to bug 1445397

see how it was fixed in #6686 16dac02

Metadata Update from @pvoborni:
- Issue assigned to pvoborni
6 years ago

Metadata Update from @pvoborni:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/734
6 years ago

Metadata Update from @pvoborni:
- Issue priority set to: critical
- Issue set to the milestone: FreeIPA 4.5.1
6 years ago

master:

  • c19196a kerberos session: use CA cert with full cert chain for obtaining cookie

ipa-4-5:

  • 82679c1 kerberos session: use CA cert with full cert chain for obtaining cookie

Metadata Update from @mbasti:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
6 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/734
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1445397
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.