Optional support for HTTP basic auth from the web server about imagr HOT 19 CLOSED

This is fine for packages, but what happens with images? Currently we restore straight over http. Can we use basic auth then?

from imagr.

It looks like asr supports https, but doesn't offer any options for neither basic auth or verifying the SSL cert on the server.

from imagr.

The only way I can think of doing this then is to create a RAM disk, but that brings its own challenges (and slows down the whole process).

from imagr.

There's no need for "options for ... verifying the SSL cert on the server" -- that's handled by Apple's underlying CFURLConnection functions and friends. If the OS can validate the cert, it's accepted.

I'd not worry too much about HTTP authentication at this point.

Nate: you should do some testing. Put an asr disk image on a web share protected by BasicAuth and try to restore from it via the command line. What happens?

from imagr.

@gregneagle This is in reference to the ASR restore as well. We can test package downloads via gurl using certs and I am confident that will work as it does in munki.

asr on the other hand does not seem to have any configurable options for SSL, so I'm not sure what asr over https even looks like (especially if it doesn't validate the server).

from imagr.

"We can test package downloads via gurl using certs"

If any of the certs are not from CAs already trusted by OS X, you'd have to add the appropriate CAs to the System keychain on the NBI. If you wanted also to do client certs, you'd need to have the appropriate identity/identities configured in the System keychain as well.

This configuration (if successful) should cover all HTTPS interactions: restoring images via https; mounting disk images via https; downloading pkgs via https, etc, etc.

But setting this up sounds complex and difficult to support. I think the work must be put on the shoulders of those who want/need this...

from imagr.

Are you assuming that if the correct bits are in the correct place in the keychain, that asr will use them and it will just work? The asr man page did not indicate that it supports client certs at all, so I wasn't sure if it was even possible.

from imagr.

asr and hdiutil use CFURLConnection and friends. I don't know if they are keychain-aware, but I believe they are.

gurl.py uses NSURLConnection and friends, which is a little higher-level, but those may well share code with the lower-level CFURL methods.

from imagr.

"The asr man page did not indicate that it supports client certs at all" that would not be asr's job. That would be the job of the lower-level CFURL* libraries.

from imagr.

Safari has no help pages telling how to use client certs, yet it's possible to do so.

from imagr.

Sure, Safari uses it. I can also find documentation on Safari + CFURLConnection, whereas I am coming up dry for asr + CFURLConnection.

I'll take your word for it that it will just work I guess. It seems like a reasonable assumption.

from imagr.

I don't know that it will just work. I suspect it will. I think you should test it.

from imagr.

I can test it. I'm not sure what the state of the security framework is like in the NBI, so I'll have to test it to know for sure.

from imagr.

Exactly!

from imagr.

security is available on the DS NetBoot set and security list-keychains shows /Library/Keychains/System.keychain and /private/var/root/Library/Keychains/login.keychain.

You should check an AutoNBI NBI to compare.

from imagr.

I tried adding a certificate this morning to an AutoNBI image and was not able to.
There is no system keychain in /Library, only the login keychain in /private/var/root/Library/Keychains
Even adding the certificate to the login keychain resulted in an error: SecTrustSettingsSetTrustSettings: errSecInternalComponent

I used security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/certname.cer" when attempting to add a new certificate.

Would it be possible to alter /System/Library/Keychains/SystemRootCertificates.keychain" when the NBI is being created?

from imagr.

I'm sure it would, but that's a AutoNBI thing.

from imagr.

I'll comment on this AutoNBI request here: https://bitbucket.org/bruienne/autonbi/issue/2/unable-to-add-certificate

from imagr.

Is there any movement or update on this? If it's not possible, I'll close the issue.

from imagr.