Stijn De Weirdt wrote:
>>> this is a different question: what can we do such that compromised host
>>> can do a little as possible if the admin doesn't (yet) know the host is
>>> compromised.
>>> the default policy allows way too much.
>> For any useful advice we need more details.
>> What are the operations you want to disable?
> at the very least, "kvno userlogin" should fail (i.e. access to a host
> keytab shouldn't permit retrieval of arbitrary user token).
> i'm assuming that retrieval of service tokens for another host is
> already not possible? (ie if you have keyatb of fqdn1, you shouldn't be
> able to retrieve a token for SERVICE/fqdn2@REALM).

To be more precise you get a service ticket. I'm not sure what the
exposure is here.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to