On Wed, 2015-11-25 at 10:24 +0100, Sumit Bose wrote:
> On Tue, Nov 24, 2015 at 02:42:32PM -0500, Simo Sorce wrote:
> > Since some time we use the getkeytab operation to fetch keytabs on newer
> > clients. According to bug #232 setkeytab can be used to circumvent
> > password quality controls so it needs to be slowly retired.
> 
> ipasam uses this exop to create the cross-realm TGT principal objects,
> krbtgt/DOM.A@DOM.B. What should be used instead to make sure that
> setkeytab can safely be disabled?

It must use the new getkeytab extended operation.

Can you open a ticket to fix this and assign it to me ?

Simo.

> bye,
> Sumit
> 
> > 
> > The attached patches implement #5485 in 2 parts.
> > 
> > The first introduces the option DisableSetKeytab which globally disables
> > the setkeytab extended operation. This is set to false by default for
> > backwards compatibility.
> > 
> > The second introduces an option called DisableUserSetKeytab, which is
> > active by default in new installs (but not in upgraded ones), and only
> > disables the use of setkeytab for ipa suers, but not for hosts/services.
> > This is because user's are the ones that may abuse the interface to
> > escape password policies and users also normally do not acquire keytabs,
> > so it is a safe bet to disable just them by default in new installs.
> > 
> > (Testing in progress)
> > 
> > Simo.
> > 
> > -- 
> > Simo Sorce * Red Hat, Inc * New York


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to