Alexander Bokovoy wrote: > On Чцв, 14 ліс 2024, Magnus Sandberg via FreeIPA-users wrote: > > Hi, > > This is a rather late reply but I'm now to RedHat IdM. > > Would it be possible to have a kdcpolicy plugin that only allow admin > > tokens issued on machines that are listed in some allow list? I guess > > the list could even by dynamic as I also would like to limit it to the > > IdM servers them selves. > > It is possible to write a KDC policy plugin but I don't think it will > help. Kerberos tickets have concept of adressfulness but it is not used > in real life due to NATs and other factors. > See, for example, very recent discussion upstream where MIT Kerberos > upstream maintainer explains it: > https://github.com/krb5/krb5/pull/1359#issuecomment-2472625591 > -------- > Addressful tickets are rarely used. When they are used, the AS client > decides what addresses get stored in the ticket. The ticket is then > restricted to use from one of the listed addresses. In our client > implementation (e.g. if you do "kinit -a"), we construct a list of the > local interface IP addresses and asks for those. > --------- > So if you want to make decision based on the addresses client has provided in > the list, you are already in a pretty bad situation as you have to trust > that information. What if an attacker knows that you will only be > issuing 'admin' tickets on IPA servers? They'd simply fabricate their > AS-REQ packet with corresponding addresses. > A better approach would be to switch admin accounts to use passwordless > authentication methods, with factors that cannot be easily get access to > by attackers: smartcards or FIDO2 passkeys, for example.
Thanks for your reply. I'm not familiar with the krb source code and what's going on internally but I think I got some understanding about the ongoing work from the link you provided. My usecase it to "help" my fellow IdM admins to not manage the IdM from the wrong machine. Our policy states that you should manage the IdM locally via dedicated jumphosts. But when you're in a hurry to fix a problem it may be easy to do "kinit admin" and use the relevant ipa commands from some host just to fix the problem, and that wouldn't be okay. As this is for internal use in our own networks, we don't have NAT between our networks. And the main goal is not to protect against an attacker. Regards, // mem -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
