hi petr,

>>>> this is a different question: what can we do such that compromised host
>>>> can do a little as possible if the admin doesn't (yet) know the host is
>>>> compromised.
>>>>
>>>> the default policy allows way too much.
>>>
>>> For any useful advice we need more details.
>>>
>>> What are the operations you want to disable?
>> at the very least, "kvno userlogin" should fail (i.e. access to a host
>> keytab shouldn't permit retrieval of arbitrary user token).
> 
> I think that this is misunderstanding.
i'll spend some more time rereading and getting a better understanding
(again ;)

> 
> "kvno userlogin" does not allow the attacker to do anything. The result of
> kvno command is a service ticket for particular principal (user, host).
> 
> The attacker can use this service ticket *for authentication to the particular
> principal* (user, host).
> 
> So the only thing the attacker can do is to prove its identity to given (user,
> host). This exactly matches capabilities the attacker already has - the full
> control over the host.
hhmm, ok. is there a way to let e.g. klist show this? it now says
'userlogin@REALM' in the 'Service principal' column. for the (user,host)
combo i expected to see a userlogin/fqdn@REALM, like other service tokens.

anyway, clearly i'm missing something here.


stijn

> 
> Please see
> https://en.wikipedia.org/wiki/Kerberos_(protocol)#Client_Service_Request
> for further details on this.
> 
> Does it explain the situation?
> 
> Petr^2 Spacek
> 
>>
>> i'm assuming that retrieval of service tokens for another host is
>> already not possible? (ie if you have keyatb of fqdn1, you shouldn't be
>> able to retrieve a token for SERVICE/fqdn2@REALM).
>>
>> stijn
>>
>>>
>>> Petr^2 Spacek
>>>
>>>
>>>>
>>>> how to clean it up once you know the host is compromised is the subject
>>>> of the other thread.
>>>>
>>>> stijn
>>>>
>>>>>
>>>>> In the case that the host is compromised/stolen/hijacked, you can
>>>>> host-disable it to invalidate the keytab stored there but this does not
>>>>> prevent anyone logged on that host to bruteforce/DOS user accounts by
>>>>> trying to guess their Kerberos keys by repeated kinit.
>>>>>
>>>>
>>>
>>>
>>
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to