Created attachment 504697 [details] Patch to fix the bug in question Description of problem: Pulp admin and consumer certs both expire after 10 years. Our security team would have kittens if we told them that users would have to authenticate every 10 years. Cert expiration should be configurable. Additionally, authenticating with an expired cert produces a stack trace, not a nice friendly error. The same is true of any cert invalidity issue. Version-Release number of selected component (if applicable): 0.0.190, HEAD How reproducible: Every time. Steps to Reproduce: 1. Run "pulp-admin auth login -u <username>" 2. Wait 3649 days. Actual results: You are able to use pulp-admin without authenticating after nearly 10 years. Expected results: The security-conscious should be able to lock this down a bit. Additional info: I've attached a patch that allows admins to set security.cert_expiration to the number of days an admin cert should be valid for. It also catches SSL errors in the client.server routines (GET, POST, etc.) and returns nice tidy error messages instead of stack traces.
commit 23fdefd6635fd819f1f7fdafcbf5643c49412d4a Author: Jay Dobies <jason.dobies> Date: Wed Jun 15 16:09:12 2011 -0400 713176 - Changed user certificate expirations to 1 week. Consumer certificate expirations, while configurable, remain at the default of 10 years. etc/pulp/pulp.conf src/pulp/client/server.py src/pulp/server/api/consumer.py src/pulp/server/auth/cert_generator.py test/unit/test_cert_generator.py
build: 0.192
verified in pulp.conf [root@preethi ~]# rpm -q pulp pulp-0.0.224-1.fc14.noarch # Configures aspects of the pulp web server security. # # cacert: full path to the CA certificate that will be used to sign # consumer and admin identification certificates. This MUST match # the value of SSLCACertificateFile in /etc/httpd/conf.d/pulp.conf. # cakey: full path to the private key for the CA certificate # user_cert_expiration: number of days a user certificate is valid # consumer_cert_expiration: number of days a consumer certificate is valid
Pulp v1.0 is released Closed Current Release.