1483538 – bodhi: doesn't authenticate using the kerberos ticket

Bug 1483538 - bodhi: doesn't authenticate using the kerberos ticket

Summary: bodhi: doesn't authenticate using the kerberos ticket

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	bodhi
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Luke Macken
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-21 11:20 UTC by Nikos Mavrogiannopoulos
Modified:	2017-09-07 17:57 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-09-04 19:33:35 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-infra bodhi issues 1179	0	None	None	None	2017-09-06 12:15:45 UTC

Description Nikos Mavrogiannopoulos 2017-08-21 11:20:27 UTC

Description of problem:
Utilizing the bodhi tools requires specifying the username even if that information is available in the kerberos ticket by FEDORAPROJECT.ORG. Furthermore authentication using _password_ is required using bodhi again despite the fact that a kerberos ticket is available.

That pretty much nullifies any security benefits from Fedora switching to kerberos as the password has to be stored locally for any automation using the bodhi tool to occur. See for example how the cockpituous tool stores the password in order to work around these issues:
https://github.com/cockpit-project/cockpituous/blob/master/release/release-bodhi#L56

Comment 1 Randy Barlow 2017-09-04 19:33:35 UTC

The security benefits are not nullified because Bodhi doesn't store the password. Instead, it uses it to authenticate with Ipsilon and upon success acquires a short-term Bodhi session token. This token is the only thing that is stored (see ~/.fedora/openidbaseclient-sessions.cache).

As far as I know the plan for the Fedora infrastructure apps is to move to OpenID Connect instead of OpenID, but not to kerberos. I've CC'd Patrick Uiterwijk, who is the Fedora security officer, just in case he wants to correct this statement or add to it. Due to this, I'm going to close this ticket as WONTFIX.

Comment 2 Nikos Mavrogiannopoulos 2017-09-06 08:54:53 UTC

Not sure I follow. The move to kerberos was done few months ago. Is it old news already and Fedora is moving to something else? Where was this announced?

Comment 3 Nikos Mavrogiannopoulos 2017-09-06 08:58:12 UTC

> The security benefits are not nullified because Bodhi doesn't store the password.

While that's true, it is also misleading. While bodhi doesn't store the password, there is no way to use bodhi non-interactively without storing the password.

Comment 4 Randy Barlow 2017-09-07 17:57:12 UTC

I will have to defer to Patrick to answer your questions here, but I'll offer some of my own speculations:

I don't believe Fedora is leaving Kerberos, but the switch to Kerberos was not intended to be done across all applications as far as I know. I don't believe this is a change from the original plan, i.e., I believe the plan for Fedora apps to use OpenID Connect was in place at the same time that Fedora began to use Kerberos for other things.

I will also speculate that it is intentional that Bodhi would not be used non-interactively.

Again, all of the above is speculation on my part and Patrick is the authority on what our policies are in this area.

Note You need to log in before you can comment on or make changes to this bug.