On 30.3.2015 09:28, Andrew Holway wrote: > Hi, > > As far as I understand it Kerberos service tickets are granted for a user > to access a particular principle (host/service@REALM) and cannot be reused. > Kerberos uses symmetric key cryptography so, if someone were able to access > the memory of the machine, then they may indeed be able to snoop your user > password although I am quite sure passwords are kept hashed in the Keytab. > > If you are so worried that someone would go to the trouble hack the > virtualisation layer and copy chunks of memory then you should really be > reconsidering your use of cloud services. People hacking kerberos will be > the least of your problems if you have data that is that sensitive on there. > > If you could point me to some documentation on the specific attack you are > trying to mitigate that would be nice. > > Thanks, > > Andrew > > > On 30 March 2015 at 04:27, Gokulnath <gokulna...@gmail.com> wrote: > >> Thanks for getting back. >> >> 1. As security Kerberos can ticket and in memory can be taken and that >> session key >> Can be used to gain access every where. Primarily this because the plan is >> to use the solution in cloud. >> >> 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key >> rotation and pki ? >> >> 3. As during the install, DNS and Kerberos are getting installed and >> configured.
Let me add that DNS server is an optional component and will not be installed if you do not specify --setup-dns option. In that case you have to add necessary DNS records by hand to make FreeIPA fully functional. Petr^2 Spacek >> I would really appreciate if you can get back. >> >> Thank you >> Gokul >> Sent from iPhone >> >>> On Mar 29, 2015, at 8:44 PM, Dmitri Pal <d...@redhat.com> wrote: >>> >>>> On 03/29/2015 11:50 AM, Gokul wrote: >>>> Hi, >>>> >>>> I am tried to run some of my user cases with FreeIPA. >>>> >>>> Have FreeIPA to do only SSH key management in LDAP and PKI management. >>>> >>>> The understand that every request is kerberized and it has the DNS is >> must configuration. >>>> >>>> Can I have FreeIPA to run only SSH Key management with LDAP and a PKI >> server with dogtag? >>>> >>>> Thank you >>>> Gokul >>> You can't turn off Kerberos. You would need Kerberos for administration. >>> But other clients can take advantage of LDAP and SSH only. >>> However you are significantly limiting your functionality and >> capabilities. >>> Kerberos is really the key of the solution. >>> >>> What is the reason you try to avoid using it? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project