Bug 1449522 - Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+
Summary: Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Scott Poore
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-10 08:31 UTC by Petr Vobornik
Modified: 2017-08-01 09:50 UTC (History)
5 users (show)

Fixed In Version: ipa-4.5.0-14.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:50:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-05-10 08:31:00 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6936

Since FreeIPA 4.5 framework relies on some form of anonymous PKINIT to obtain FAST armor tickets during password auth requests, some form of PKINIT is always configured during install/upgrade.

Thus it does not make sense to maintain pkinit-anonymous subcommand. We should mark it as deprecated and make it a no-op, since locking anonymous principal can completely break password-based auth on the masters (e.g. WebUI logins).

Comment 2 Petr Vobornik 2017-05-10 08:31:14 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6936

Comment 3 Martin Babinsky 2017-05-23 16:09:08 UTC
master:

* 24099d0f806103d8ec57d69fc97e9b4ae061bfdd Remove pkinit-anonymous command

Waiting for rebase to land in ipa-4-5 branch

Comment 4 Martin Babinsky 2017-05-24 16:09:53 UTC
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/4e878c3dc6f72cae4e7b4cb2ef45f2f4e91ac287

Comment 6 Scott Poore 2017-06-06 18:39:50 UTC
Verified.

Version ::

ipa-server-4.5.0-14.el7.x86_64

Results ::

[root@vm1 ~]# ipa help pkinit-anonymous
ipa: ERROR: no command nor help topic 'pkinit_anonymous'

[root@vm1 ~]# ipa pkinit-anonymous
ipa: ERROR: unknown command 'pkinit-anonymous'

[root@vm1 ~]# ipa help pkinit|grep -i anon
[root@vm1 ~]#

Comment 7 errata-xmlrpc 2017-08-01 09:50:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.