diff options
Diffstat (limited to '0010-Add-some-longer-form-docs-for-HTTPS.patch')
-rw-r--r-- | 0010-Add-some-longer-form-docs-for-HTTPS.patch | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/0010-Add-some-longer-form-docs-for-HTTPS.patch b/0010-Add-some-longer-form-docs-for-HTTPS.patch new file mode 100644 index 0000000..88f1327 --- /dev/null +++ b/0010-Add-some-longer-form-docs-for-HTTPS.patch @@ -0,0 +1,86 @@ +From b52acabf478e8d1aa19f7823aade81eed1553143 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai <nalin@dahyabhai.net> +Date: Tue, 22 Apr 2014 16:31:14 -0400 +Subject: [PATCH 10/13] Add some longer-form docs for HTTPS + +Add some longer-form documentation for the new HTTPS support, walking a +prospective administrator through generating a bare minimal signing +setup, deploying a WSGI-based proxy server onto an Apache httpd server +using mod_ssl and mod_wsgi, and configuring clients to use it. + +ticket: 7929 +--- + doc/admin/https.rst | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ + doc/admin/index.rst | 1 + + 2 files changed, 49 insertions(+) + create mode 100644 doc/admin/https.rst + +diff --git a/doc/admin/https.rst b/doc/admin/https.rst +new file mode 100644 +index 0000000..b4e68b2 +--- /dev/null ++++ b/doc/admin/https.rst +@@ -0,0 +1,48 @@ ++.. _https: ++ ++HTTPS proxy configuration ++========================= ++ ++In addition to being able to use UDP or TCP to communicate directly ++with a KDC as is outlined in RFC4120, and with kpasswd services in a ++similar fashion, the client libraries can attempt to use an HTTPS ++proxy server to communicate with a KDC or kpasswd service, using the ++protocol outlined in [MS-KKDCP]. ++ ++Communicating with a KDC through an HTTPS proxy allows clients to ++contact servers when network firewalls might otherwise prevent them ++from doing so. The use of TLS also encrypts all traffic between the ++clients and the KDC, preventing observers from conducting password ++dictionary attacks or from observing the client and server principals ++being authenticated, at additional computational cost to both clients ++and servers. ++ ++An HTTPS proxy server is provided as a feature in some versions of ++Microsoft Windows Server, and a WSGI implementation named `kdcproxy` ++is available in the python package index. ++ ++ ++Configuring the clients ++----------------------- ++ ++To use an HTTPS proxy, a client host must trust the CA which issued ++that proxy's SSL certificate. If that CA's certificate is not in the ++system-wide default set of trusted certificates, configure the ++following relation in the client host's :ref:`krb5.conf(5)` file in ++the appropriate :ref:`realms` subsection:: ++ ++ http_anchors = FILE:/etc/krb5/cacert.pem ++ ++Adjust the pathname to match the path of the file which contains a ++copy of the CA's certificate. The `http_anchors` option is documented ++more fully in :ref:`krb5.conf(5)`. ++ ++Configure the client to access the KDC and kpasswd service by ++specifying their locations in its :ref:`krb5.conf(5)` file in the form ++of HTTPS URLs for the proxy server:: ++ ++ kdc = https://server.fqdn/KdcProxy ++ kpasswd_server = https://server.fqdn/KdcProxy ++ ++If the proxy and client are properly configured, client commands such ++as ``kinit``, ``kvno``, and ``kpasswd`` should all function normally. +diff --git a/doc/admin/index.rst b/doc/admin/index.rst +index 3406843..3cd57f5 100644 +--- a/doc/admin/index.rst ++++ b/doc/admin/index.rst +@@ -17,6 +17,7 @@ For administrators + otp.rst + princ_dns.rst + enctypes.rst ++ https.rst + + .. toctree:: + :maxdepth: 1 +-- +2.1.0 + |