On 11/16/2016 03:10 PM, Sumit Bose wrote:
On Wed, Nov 16, 2016 at 02:41:34PM +0100, Martin Babinsky wrote:
On 11/16/2016 02:33 PM, Petr Spacek wrote:
On 16.11.2016 14:01, Stijn De Weirdt wrote:
hi all,
we are looking how to configure whatever relevant policy to minimise the
impact of compromised IPA hosts (ie servers with a valid host keytab).
in particular, it looks like it possible to retrieve any user token once
you have access to a valid host keytab.
we're aware that the default IPA policies are wide open, but we are
looking how to limit this. for us, there's no need that a hostkeytab can
retrieve tokens for anything except the services on that host.
What "token" do you have in mind?
We discussed this in another thread.
In the case that the host is compromised/stolen/hijacked, you can
host-disable it to invalidate the keytab stored there but this does not
prevent anyone logged on that host to bruteforce/DOS user accounts by trying
to guess their Kerberos keys by repeated kinit.
But the password policy should at least mitigate this by blocking the
account for some time after a number of wrong password are used.
bye,
Sumit
Yes after (by default 6 IIRC) failed attempts it should lock out the
account making brute-forcing the credentials highly impractical. It
will, however, prevent a legitimate authentication of that user against
the IPA master where the lockout is in place.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
