Stijn De Weirdt wrote: >>> this is a different question: what can we do such that compromised host >>> can do a little as possible if the admin doesn't (yet) know the host is >>> compromised. >>> >>> the default policy allows way too much. >> >> For any useful advice we need more details. >> >> What are the operations you want to disable? > at the very least, "kvno userlogin" should fail (i.e. access to a host > keytab shouldn't permit retrieval of arbitrary user token). > > i'm assuming that retrieval of service tokens for another host is > already not possible? (ie if you have keyatb of fqdn1, you shouldn't be > able to retrieve a token for SERVICE/fqdn2@REALM).
To be more precise you get a service ticket. I'm not sure what the exposure is here. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project