Bug 578231
| Summary: | Add checkbox 'Allow authentication via self-signed certificates' | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Stephen Gallagher <sgallagh> |
| Component: | authconfig | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | amcnabb, dpal, duffy, tmraz |
| Target Milestone: | --- | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-24 01:00:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Stephen Gallagher
2010-03-30 15:51:44 UTC
I do not quite agree with this as this setting is not secure - if you do not explicitely establish the trust to the CA certificate (or to the self-signed certificate) any MITM can impersonate the LDAP server and be able to fool the machine to allow anybody to log-in. I'd prefer to implement some way to pull the certificate from the ldap connection and store it so it can be trusted. This is similar to what openssh does although here it would be part of the authconfig code. But this is F14 work to do. Hi, Mockups to account for this change are available in the latest draft (draft 5) of the authconfig-gtk mockups. The screens of interest are as follows: https://fedoraproject.org/wiki/Design/SSSD#Path_1:_LDAP.2FKerberos https://fedoraproject.org/wiki/Design/SSSD#Path_2:_LDAP.2FLDAP https://fedoraproject.org/wiki/Design/SSSD#Path_3:_FreeIPA.2FKerberos https://fedoraproject.org/wiki/Design/SSSD#Path_4:_FreeIPA.2FLDAP Cheers, ~m I think I follow what you're suggesting, Tomas. We should add perhaps ldap_tls_reqcert = once. This would make the assumption that the connection is safe the first time. On the first connection made by the SSSD, we should store the CA cert into the proper directory, run the cacertdir_hash routine and then always rely on that for future connections. Is this an accurate rephrasing of your suggestion above? I thought of implementing the first connection in authconfig itself but if you would do that in SSSD it would make sense as well. Whatever you prefer. If the implementation is done on the SSSD side there is still remaining issue how to implement change of the certificate in case of legitimate change of the certificate on server (expiration etc.). We would need to somehow trigger a connection which would remove the old certificate and install a new one. Hmm, this is going to need a bit more thought. Ideally, we should present the user the option to accept the certificate. So that would probably be better done in authconfig rather than SSSD. We're still speaking in general terms, however. I'm not even sure at this point whether we can get this directly from the LDAP connection. It should be definitely possible to get it from the LDAP connection at least in the self-signed host certificate case. It will require quite bit of code though. And yes I also think that it would be probably better to do this in authconfig rather than SSSD. Should we consider certmonger for tracking cert expiration? This is exactly what it is designed for. Will the "ldap_tls_reqcert = once" or "ldap_tls_reqcert = allow" options also be added to the "auth" kickstart option? It would be great to be able to do "auth --enableldapauth --ldap_tls_reqcert=once" within a kickstart script. |