El 07/07/14 14:06, Sam Hartman escribió:
> Here, I think we need to consider the boundary between what we ship with
> freeradius and what we ask people to configure.
> I don't know where that boundary should be but it kind of matters for
> this.
>
> If you are going to pass along gss-acceptor-host-name, you need to
> verify that it's correct for a client (if you are a proxy near the
> client)
>
> If you are going to pass along gss-acceptor-realm-name, you need to
> verify it's one of your realms.
>
> You might want to consider verifying that the host in question is
> permitted to offer the service in question.
>
> So, my assumption is that permitting the attribute without running those
> checks is not great.
> So, I'd support putting together a sample policy to do those checks for
> FR, and having commented out proposed lines in the attribute filter
> stuff reminding people to turn on such a sample policy if they are going
> to enable the attributes.
>
> Thoughts?
I'd love to have such a sample policy. Once on production, this kind of
stuff will be handled bypeople with more experience configuring FR. But
so far, for the pilot, that'd be of great help IMO. At least for me :).
>
> --Sam
|