fedora hosted, sharding and openid

Patrick Uiterwijk puiterwijk at gmail.com
Sat Feb 16 09:19:01 UTC 2013 

On Thu, Feb 14, 2013 at 10:13 PM, Till Maas <till.maas at till.name> wrote:

> ...
>
> Actually it is admin.fedoraprojet.org that will ask for the password.

Well, if you see admin.fedoraproject.org requesting the password, you are
probably using id.fedoraproject.org currently, which is still the current
FAS module.
FAS-OpenID (which is available as <username>.id.stg.fedoraproject.org) does
not use admin.fedoraproject.org at all.

> I assumed that if username.id.fedoraproject.org is used as OpenID ID,
> there would be some plain HTTP request from the user's browser to
> username.id.fedoraproject.org, but this does not seem to be the case
> (anymore?).

No, the user's browser won't request username.id.fedoraproject.org but only
id.fedoraproject.org, but trac does this to verify that the OpenID endpoint
indeed controls that specific URL.

> Nevertheless, at least trac will probably not connect via
> HTTPS to username.id.fedoraproject.org, because the certificate for that
> host name is not valid.

That's also not used: for connection between trac and the OpenID provider,
plain HTTP is used for verification.

> Nevertheless, an attack might not be that likely
> for that as as MITM attacks near a user's client are.
>
> Regards
> Till
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
>

Well, if you see admin.fedoraproject.org requesting the password, you are
probably using id.fedoraproject.org currently, which is still the current
FAS module.
FAS-OpenID (which is available as <username>.id.stg.fedoraproject.org) does
not use admin.fedoraproject.org at all.
There is only SSL in place for the login page, all other pages do not need
SSL (because of the certificate wildcard level).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20130216/9bdf1cf7/attachment-0001.html>

More information about the infrastructure mailing list