Issue #2163: kerberos logins should always require SSL on the server - koji - Pagure.io

koji

#2163 kerberos logins should always require SSL on the server

Opened 4 years ago by ktdreyer. Modified 4 years ago

Our sample Apache configuration files recommend setting "GssapiSSLonly" to "Off" on the Koji Hub, and there is nothing in the koji-hub or koji-web settings that enforces the use of HTTPS for Kerberos authentication.

Steps to resolve this:
1) Remove the "GssapiSSLonly Off" setting from the koji-hub Apache configuration.
2) Add SSLRequireSSL to the koji-hub and koji-web Apache settings.

ktdreyer commented 4 years ago

https://pagure.io/koji/pull-request/2162 removes "GssapiSSLonly Off".

ignatenkobrain commented 4 years ago

What is the difference between GssapiSSLonly On and SSLRequireSSL?

ktdreyer commented 4 years ago

AFAICT SSLRequireSSL will deny the connection sooner.

ktdreyer commented 4 years ago

In fact we should probably set SSLRequireSSL on the entire hub URL and web app, not just the single /ssllogin location.

Login to comment on this ticket.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

Normal

Milestone

None

Size

None

Powered by Pagure 5.13.3

Documentation • File an Issue • About • SSH Hostkey/Fingerprint

© Red Hat, Inc. and others.