On Tue, Nov 1, 2011 at 7:36 PM, James Cammarata <jimi(a)sngx.net> wrote:
I've written an authn module for PAM (I'll commit it soon),
and it got
me thinking about the web GUI security. I'd like to propose that we
move the GUI stuff to strictly HTTPS, using some rewrite rules. This
would also get rid of the VirtualHost stuff in cobbler_web.conf, since
typically the ssl.conf defines a default vhost on 443 that takes
precedence. I did some testing, and this seems to work out pretty
well, but I wanted to get a feeling for this from everyone because it
is a fairly major move. The cobbler-web RPM would also be modified to
require mod_ssl (and mod_wsgi, which it doesn't currently).
Debian/Ubuntu packaging would need to be updated accordingly.
Here are the patches if anyone wants to play with it. On my github,
in the authn-pam-https branch:
https://github.com/jimi1283/cobbler/tree/authn-pam-https
commit 7f245532e316f7c40af6b80bbfc58bdb73eedcb6
Author: James Cammarata <jimi(a)sngx.net>
Date: Tue Nov 1 22:30:51 2011 -0500
Making https the default for the cobbler web GUI.
Also modifying the cobbler-web RPM build to require mod_ssl and
mod_wsgi (missing wsgi was an oversight, just correcting it now)
commit a11d54392dc7699d10ae1d6455edc35b9b9f6b84
Author: James Cammarata <jimi(a)sngx.net>
Date: Tue Nov 1 22:29:30 2011 -0500
Adding authn_pam. This also creates a new setting -
authn_pam_service, which allows the user to configure which PAM
service they want to use for cobblerd.