Stijn De Weirdt wrote:
>>> this is a different question: what can we do such that compromised host
>>> can do a little as possible if the admin doesn't (yet) know the host is
>>> compromised.
>>>
>>> the default policy allows way too much.
>>
>> For any useful advice we need more details.
>>
>> What are the operations you want to disable?
> at the very least, "kvno userlogin" should fail (i.e. access to a host
> keytab shouldn't permit retrieval of arbitrary user token).
> 
> i'm assuming that retrieval of service tokens for another host is
> already not possible? (ie if you have keyatb of fqdn1, you shouldn't be
> able to retrieve a token for SERVICE/fqdn2@REALM).

To be more precise you get a service ticket. I'm not sure what the
exposure is here.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to