>> we are looking how to configure whatever relevant policy to minimise the
>> impact of compromised IPA hosts (ie servers with a valid host keytab).
>> in particular, it looks like it possible to retrieve any user token once
>> you have access to a valid host keytab.
>> we're aware that the default IPA policies are wide open, but we are
>> looking how to limit this. for us, there's no need that a hostkeytab can
>> retrieve tokens for anything except the services on that host.
> What "token" do you have in mind?
service tokens, like HTTP/fqdn@REALM should work, but i expect in the
following example that the kvno part fails
kinit -kt /etc/krb5.keytab
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project