On Wed, Nov 16, 2016 at 02:41:34PM +0100, Martin Babinsky wrote: > On 11/16/2016 02:33 PM, Petr Spacek wrote: > > On 16.11.2016 14:01, Stijn De Weirdt wrote: > > > hi all, > > > > > > we are looking how to configure whatever relevant policy to minimise the > > > impact of compromised IPA hosts (ie servers with a valid host keytab). > > > > > > in particular, it looks like it possible to retrieve any user token once > > > you have access to a valid host keytab. > > > > > > we're aware that the default IPA policies are wide open, but we are > > > looking how to limit this. for us, there's no need that a hostkeytab can > > > retrieve tokens for anything except the services on that host. > > > > What "token" do you have in mind? > > > We discussed this in another thread. > > In the case that the host is compromised/stolen/hijacked, you can > host-disable it to invalidate the keytab stored there but this does not > prevent anyone logged on that host to bruteforce/DOS user accounts by trying > to guess their Kerberos keys by repeated kinit.
But the password policy should at least mitigate this by blocking the account for some time after a number of wrong password are used. bye, Sumit > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project