On 16.11.2016 15:33, Stijn De Weirdt wrote: > hi martin, > >>>> we are looking how to configure whatever relevant policy to minimise the >>>> impact of compromised IPA hosts (ie servers with a valid host keytab). >>>> >>>> in particular, it looks like it possible to retrieve any user token once >>>> you have access to a valid host keytab. >>>> >>>> we're aware that the default IPA policies are wide open, but we are >>>> looking how to limit this. for us, there's no need that a hostkeytab can >>>> retrieve tokens for anything except the services on that host. >>> >>> What "token" do you have in mind? >>> >> We discussed this in another thread. > this is a different question: what can we do such that compromised host > can do a little as possible if the admin doesn't (yet) know the host is > compromised. > > the default policy allows way too much.
For any useful advice we need more details. What are the operations you want to disable? Petr^2 Spacek > > how to clean it up once you know the host is compromised is the subject > of the other thread. > > stijn > >> >> In the case that the host is compromised/stolen/hijacked, you can >> host-disable it to invalidate the keytab stored there but this does not >> prevent anyone logged on that host to bruteforce/DOS user accounts by >> trying to guess their Kerberos keys by repeated kinit. >> > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project