On ke, 28 huhti 2021, Dominik Vogt via FreeIPA-users wrote:
On Wed, Apr 28, 2021 at 01:10:08PM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
On ke, 28 huhti 2021, Dominik Vogt via FreeIPA-users wrote:
> What is the correct way to disable "kinit admin" on all ipa
> clients? In our setup, becoming admin should only possible on the
> ipa server. (Everything is done by scripts runn through ssh;
> nobody ever logs in to the server directly.)
Kerberos principals for users are not tied to specific hosts. There is
also nothing that does explicit 'kinit admin' unless you do it yourself.
Anyone who is in possesion of 'admin' account password can ask to obtain
a Kerberos ticket for this principal. There are no specific limitations
to hosts where this could happen.
So there is no way to prevent that someone issues administrative
ipa command from any host, except by keeping the password secret?
Correct, you have to keep passwords safe from the parties you don't want
to use the powers those passwords entail.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
