>> we are looking how to configure whatever relevant policy to minimise the >> impact of compromised IPA hosts (ie servers with a valid host keytab). >> >> in particular, it looks like it possible to retrieve any user token once >> you have access to a valid host keytab. >> >> we're aware that the default IPA policies are wide open, but we are >> looking how to limit this. for us, there's no need that a hostkeytab can >> retrieve tokens for anything except the services on that host. > > What "token" do you have in mind? > service tokens, like HTTP/fqdn@REALM should work, but i expect in the following example that the kvno part fails
kinit -kt /etc/krb5.keytab kvno a_valid_user stijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
