On Wed, 2013-11-27 at 15:12 -0500, Nathaniel McCallum wrote:
> On Wed, 2013-11-27 at 14:34 +0000, Simo Sorce wrote:
> > On Thu, 2013-11-21 at 15:54 -0500, Dmitri Pal wrote:
> > > On 11/21/2013 01:34 PM, Nathaniel McCallum wrote:
> > > >> The password can be retrieved with radiusproxy-show --all, because it 
> > > >> is 
> > > >> > not blocked by LDAP ACIs. Is that intended?
> > > > Yes. But I'm torn as to whether or not this is a good idea. Regular
> > > > users can't see radius proxy servers at all. Admins can see all
> > > > attributes.
> > > >
> > > > It is common in radius server deployments to have a text file readable
> > > > by root with the radius secret. The current LDAP policy replicates this
> > > > "expected" behavior. It may be wise to block all reads of the secret
> > > > though. I'm open to suggestions.
> > > >
> > > If it is readable by admin only I would leave it as is for now and
> > > address later when we redo ACIs.
> > 
> > Is this specific to the one and only admin account or does it extend to
> > any user in the admins group ?
> 
> All admins. See ipatokenRadiusConfiguration in
> install/share/default-aci.ldif. Read access is denied to everyone except
> admins. The entire class is hidden from normal users. See below.

Oh I see it now, sorry, my fault in reading that ACI.
I can't wait to finally straighten out our ACI system...

> > Looking at the current master it seem *any* user except anonymous can
> > read secrets ? Or is there a patch I am missing ?
> > I think this is too broad.
> 
> [root@freeipa ~]# kinit admin
> Password for ad...@example.com: 
> [root@freeipa ~]# ipa radiusproxy-find
> -----------------------------
> 1 RADIUS proxy server matched
> -----------------------------
>   RADIUS proxy server name: foo
>   Server: foo
> ----------------------------
> Number of entries returned 1
> ----------------------------
> 
> [root@freeipa ~]# kinit test
> Password for t...@example.com: 
> kinit: Password incorrect while getting initial credentials
> [root@freeipa ~]# kinit test
> Password for t...@example.com: 
> [root@freeipa ~]# ipa radiusproxy-find
> ------------------------------
> 0 RADIUS proxy servers matched
> ------------------------------
> ----------------------------
> Number of entries returned 0
> ----------------------------

Looks good, I would still prefer to not make the password readable by
default to admins, but I think we can further restrict this later once
we have the new ACI system in place, which should make it easier to
handle these cases.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to