On Чцв, 14 ліс 2024, Magnus Sandberg via FreeIPA-users wrote:
Hi,
This is a rather late reply but I'm now to RedHat IdM.
Would it be possible to have a kdcpolicy plugin that only allow admin
tokens issued on machines that are listed in some allow list? I guess
the list could even by dynamic as I also would like to limit it to the
IdM servers them selves.
It is possible to write a KDC policy plugin but I don't think it will
help. Kerberos tickets have concept of adressfulness but it is not used
in real life due to NATs and other factors.
See, for example, very recent discussion upstream where MIT Kerberos
upstream maintainer explains it:
https://github.com/krb5/krb5/pull/1359#issuecomment-2472625591
--------
Addressful tickets are rarely used. When they are used, the AS client
decides what addresses get stored in the ticket. The ticket is then
restricted to use from one of the listed addresses. In our client
implementation (e.g. if you do "kinit -a"), we construct a list of the
local interface IP addresses and asks for those.
---------
So if you want to make decision based on the addresses client has provided in
the list, you are already in a pretty bad situation as you have to trust
that information. What if an attacker knows that you will only be
issuing 'admin' tickets on IPA servers? They'd simply fabricate their
AS-REQ packet with corresponding addresses.
A better approach would be to switch admin accounts to use passwordless
authentication methods, with factors that cannot be easily get access to
by attackers: smartcards or FIDO2 passkeys, for example.
I guess that it would require some C programming but maybe not that
hard to do.
Regards,
// mem
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
