On 16.11.2016 17:47, Stijn De Weirdt wrote:
>>> this is a different question: what can we do such that compromised host
>>> can do a little as possible if the admin doesn't (yet) know the host is
>>> compromised.
>>>
>>> the default policy allows way too much.
>>
>> For any useful advice we need more details.
>>
>> What are the operations you want to disable?
> at the very least, "kvno userlogin" should fail (i.e. access to a host
> keytab shouldn't permit retrieval of arbitrary user token).

I think that this is misunderstanding.

"kvno userlogin" does not allow the attacker to do anything. The result of
kvno command is a service ticket for particular principal (user, host).

The attacker can use this service ticket *for authentication to the particular
principal* (user, host).

So the only thing the attacker can do is to prove its identity to given (user,
host). This exactly matches capabilities the attacker already has - the full
control over the host.

Please see
https://en.wikipedia.org/wiki/Kerberos_(protocol)#Client_Service_Request
for further details on this.

Does it explain the situation?

Petr^2 Spacek

> 
> i'm assuming that retrieval of service tokens for another host is
> already not possible? (ie if you have keyatb of fqdn1, you shouldn't be
> able to retrieve a token for SERVICE/fqdn2@REALM).
> 
> stijn
> 
>>
>> Petr^2 Spacek
>>
>>
>>>
>>> how to clean it up once you know the host is compromised is the subject
>>> of the other thread.
>>>
>>> stijn
>>>
>>>>
>>>> In the case that the host is compromised/stolen/hijacked, you can
>>>> host-disable it to invalidate the keytab stored there but this does not
>>>> prevent anyone logged on that host to bruteforce/DOS user accounts by
>>>> trying to guess their Kerberos keys by repeated kinit.
>>>>
>>>
>>
>>
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to