Hi, As far as I understand it Kerberos service tickets are granted for a user to access a particular principle (host/service@REALM) and cannot be reused. Kerberos uses symmetric key cryptography so, if someone were able to access the memory of the machine, then they may indeed be able to snoop your user password although I am quite sure passwords are kept hashed in the Keytab.
If you are so worried that someone would go to the trouble hack the virtualisation layer and copy chunks of memory then you should really be reconsidering your use of cloud services. People hacking kerberos will be the least of your problems if you have data that is that sensitive on there. If you could point me to some documentation on the specific attack you are trying to mitigate that would be nice. Thanks, Andrew On 30 March 2015 at 04:27, Gokulnath <gokulna...@gmail.com> wrote: > Thanks for getting back. > > 1. As security Kerberos can ticket and in memory can be taken and that > session key > Can be used to gain access every where. Primarily this because the plan is > to use the solution in cloud. > > 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key > rotation and pki ? > > 3. As during the install, DNS and Kerberos are getting installed and > configured. > > I would really appreciate if you can get back. > > Thank you > Gokul > Sent from iPhone > > > On Mar 29, 2015, at 8:44 PM, Dmitri Pal <d...@redhat.com> wrote: > > > >> On 03/29/2015 11:50 AM, Gokul wrote: > >> Hi, > >> > >> I am tried to run some of my user cases with FreeIPA. > >> > >> Have FreeIPA to do only SSH key management in LDAP and PKI management. > >> > >> The understand that every request is kerberized and it has the DNS is > must configuration. > >> > >> Can I have FreeIPA to run only SSH Key management with LDAP and a PKI > server with dogtag? > >> > >> Thank you > >> Gokul > > You can't turn off Kerberos. You would need Kerberos for administration. > > But other clients can take advantage of LDAP and SSH only. > > However you are significantly limiting your functionality and > capabilities. > > Kerberos is really the key of the solution. > > > > What is the reason you try to avoid using it? > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
