You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Created by julianbrost on 2015-10-31 17:06:31 +00:00
Assignee: aklimov
Status: Resolved (closed on 2016-02-15 09:40:03 +00:00)
Target Version: 2.2.0
Last Update: 2016-02-15 09:40:03 +00:00 (in Redmine)
The authHttp() method in library/Icinga/Authentication/Auth.php causes Icinga Web 2 to send HTTP basic auth requests when the user was already successfully authenticated by the webserver via Kerberos as it can be seen in the following curl output:
$ curl -v --negotiate -u : http://[monitoringhost]/icingaweb2/
* Trying [address]...
* Connected to [monitoringhost] ([address]) port 80 (#0)
> GET /icingaweb2/ HTTP/1.1
> Host: [monitoringhost]
> User-Agent: curl/7.45.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Date: Wed, 28 Oct 2015 07:42:35 GMT
< Server: Apache/2.4.10 (Debian)
< WWW-Authenticate: Negotiate
< Content-Length: 482
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host [monitoringhost] left intact
* Issue another request to this URL: 'http://[monitoringhost]/icingaweb2/'
* Found bundle for host [monitoringhost]: 0xaf86b0
* Re-using existing connection! (#0) with host [monitoringhost]
* Connected to [monitoringhost] ([address]) port 80 (#0)
* Server auth using Negotiate with user ''
> GET /icingaweb2/ HTTP/1.1
> Host: [monitoringhost]
> Authorization: Negotiate [...base64...]
> User-Agent: curl/7.45.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Date: Wed, 28 Oct 2015 07:42:35 GMT
< Server: Apache/2.4.10 (Debian)
< WWW-Authenticate: Negotiate [...base64...]
< WWW-Authenticate: Negotiate [...base64...]
< Www-Authenticate: Basic realm="Icinga Web 2"
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host [monitoringhost] left intactct
Notice this header which is sent by authHttp() calling challengeHttp():
< Www-Authenticate: Basic realm="Icinga Web 2"
This makes Icinga Web 2 completely unusable as I don't know any browser that handles this properly (Firefox will just send requests in an endless loop) and even if, there are no valid login credentials for this request. Icinga Web 2 was not yet configured at that point.
Configuration for Apache (it's basically the configuration from the debmon.org icingaweb2 package with some additional lines for Kerberos):
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbDelegateBasic Off
Krb5Keytab /etc/apache2/krb5.keytab
Alias /icingaweb2 "/usr/share/icingaweb2/public"
Options SymLinksIfOwnerMatch
AllowOverride None
AuthType Kerberos
AuthName "Kerberos"
Require unix-group staff
SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"
EnableSendfile Off
RewriteEngine on
RewriteBase /icingaweb2/
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
DirectoryIndex error_norewrite.html
ErrorDocument 404 /error_norewrite.html
Replacing the code of authHttp() with just return false; is a quick workaround and makes Icinga Web 2 usable in my setup. But I don't know what a proper patch would look like as I don't understand why this method is invoked at all. Icinga Web 2 shouldn't care about HTTP basic authentication at all unless configured explicitly to do so.
Unfortunately reproducing this isn't simple, as it needs a working Kerberos realm, but it should be possible to solve this issue only with the curl output above. I can also test patches if needed.
Updated by julianbrost on 2015-11-03 13:26:20 +00:00
Just checked again after configuring Web 2: Now it works without any modifications to the source code, authHttp() doesn't even seem to be called. Thus it looks like this problem only exists when Web 2 is unconfigured.
This issue has been migrated from Redmine: https://dev.icinga.com/issues/10506
Created by julianbrost on 2015-10-31 17:06:31 +00:00
Assignee: aklimov
Status: Resolved (closed on 2016-02-15 09:40:03 +00:00)
Target Version: 2.2.0
Last Update: 2016-02-15 09:40:03 +00:00 (in Redmine)
The authHttp() method in library/Icinga/Authentication/Auth.php causes Icinga Web 2 to send HTTP basic auth requests when the user was already successfully authenticated by the webserver via Kerberos as it can be seen in the following curl output:
Notice this header which is sent by
authHttp()
callingchallengeHttp()
:This makes Icinga Web 2 completely unusable as I don't know any browser that handles this properly (Firefox will just send requests in an endless loop) and even if, there are no valid login credentials for this request. Icinga Web 2 was not yet configured at that point.
Configuration for Apache (it's basically the configuration from the debmon.org icingaweb2 package with some additional lines for Kerberos):
Replacing the code of
authHttp()
with justreturn false;
is a quick workaround and makes Icinga Web 2 usable in my setup. But I don't know what a proper patch would look like as I don't understand why this method is invoked at all. Icinga Web 2 shouldn't care about HTTP basic authentication at all unless configured explicitly to do so.Unfortunately reproducing this isn't simple, as it needs a working Kerberos realm, but it should be possible to solve this issue only with the curl output above. I can also test patches if needed.
Changesets
2016-02-15 09:39:18 +00:00 by aklimov 4c97fb7
The text was updated successfully, but these errors were encountered: