On 16.11.2016 15:33, Stijn De Weirdt wrote:
> hi martin,
> 
>>>> we are looking how to configure whatever relevant policy to minimise the
>>>> impact of compromised IPA hosts (ie servers with a valid host keytab).
>>>>
>>>> in particular, it looks like it possible to retrieve any user token once
>>>> you have access to a valid host keytab.
>>>>
>>>> we're aware that the default IPA policies are wide open, but we are
>>>> looking how to limit this. for us, there's no need that a hostkeytab can
>>>> retrieve tokens for anything except the services on that host.
>>>
>>> What "token" do you have in mind?
>>>
>> We discussed this in another thread.
> this is a different question: what can we do such that compromised host
> can do a little as possible if the admin doesn't (yet) know the host is
> compromised.
> 
> the default policy allows way too much.

For any useful advice we need more details.

What are the operations you want to disable?

Petr^2 Spacek


> 
> how to clean it up once you know the host is compromised is the subject
> of the other thread.
> 
> stijn
> 
>>
>> In the case that the host is compromised/stolen/hijacked, you can
>> host-disable it to invalidate the keytab stored there but this does not
>> prevent anyone logged on that host to bruteforce/DOS user accounts by
>> trying to guess their Kerberos keys by repeated kinit.
>>
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to