URL: https://github.com/freeipa/freeipa/pull/338 Author: dkupka Title: #338: password policy: Add explicit default password policy for hosts and services Action: opened
PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/338/head:pr338 git checkout pr338
From 03f68b4829442ec734f04755c3426c76e3b9661d Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Thu, 29 Sep 2016 15:59:34 +0200 Subject: [PATCH 1/2] password policy: Add explicit default password policy for hosts and services Set explicitly krbPwdPolicyReference attribute to all hosts (entries in cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's CoS so no attributes are really added. The default policies effectively disable any enforcement or lockout for hosts and services. Since hosts and services use keytabs passwords enforcements doesn't make much sense. Also the lockout policy could be used for easy and cheap DoS. https://fedorahosted.org/freeipa/ticket/6561 --- install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++ install/updates/Makefile.am | 1 + ipaserver/install/service.py | 1 + 3 files changed, 135 insertions(+) create mode 100644 install/updates/20-default_password_policy.update diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update new file mode 100644 index 0000000..b1f9754 --- /dev/null +++ b/install/updates/20-default_password_policy.update @@ -0,0 +1,133 @@ +# Default password policies for hosts, services and Kerberos services +# Setting all attributes to zero effectively disables any password policy +# We can do this because hosts and services uses keytabs instead of passwords + +# hosts +dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Host Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# services +dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Service Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# kerberos policy container +# this is necessary to avoid mixing the Kerberos sevice password policy +# with group-membership based user password policies +dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:objectClass: nsContainer +default:objectClass: top +default:cn: Kerberos Service Password Policy + +# kerberos services +dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Kerberos Service Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# default password policies for hosts, services and kerberos services +# cosPriority is set intentionally to higher number than FreeIPA API allows +# to set to ensure that these password policies have always lower priority +# than any defined by user. + +# hosts +dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 10000000000 +default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX + +dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX +default:description: Default Password Policy for Hosts +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default + +# services +dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 10000000000 +default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX + +dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX +default:description: Default Password Policy for Services +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default + +# kerberos services +dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 10000000000 +default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX + +dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:description: Default Password Policy for Kerberos Services +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index a80256f..e8a55e1 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -24,6 +24,7 @@ app_DATA = \ 20-winsync_index.update \ 20-idoverride_index.update \ 20-uuid.update \ + 20-default_password_policy.update \ 21-replicas_container.update \ 21-ca_renewal_container.update \ 21-certstore_container.update \ diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 4cc7012..6451f92 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -245,6 +245,7 @@ def move_service(self, principal): # There is no service in the wrong location, nothing to do. # This can happen when installing a replica return None + entry.pop('krbpwdpolicyreference', None) # don't copy virtual attr newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix) api.Backend.ldap2.delete_entry(entry) From fa90e646802f8d88fed64a2e9d3b338847a0083e Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Fri, 25 Nov 2016 00:10:41 +0100 Subject: [PATCH 2/2] tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} --all Result of {host,service}-{find,show} commands with option '--all' always contains krbpwpolicyreference attributes. https://fedorahosted.org/freeipa/ticket/6561 --- ipatests/test_xmlrpc/test_idviews_plugin.py | 35 ++++++++++++++++++++++++++ ipatests/test_xmlrpc/test_service_plugin.py | 10 ++++++++ ipatests/test_xmlrpc/tracker/host_plugin.py | 8 +++++- ipatests/test_xmlrpc/tracker/service_plugin.py | 7 +++++- 4 files changed, 58 insertions(+), 2 deletions(-) diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py index 5f87def..b1bb5ab 100644 --- a/ipatests/test_xmlrpc/test_idviews_plugin.py +++ b/ipatests/test_xmlrpc/test_idviews_plugin.py @@ -1029,6 +1029,11 @@ class test_idviews(Declarative): serverhostname=[host3], ipaassignedidview=[idview1], ipakrboktoauthasdelegate=False, + krbpwdpolicyreference=[DN( + u'cn=Default Host Password Policy', + api.env.container_host, + api.env.basedn, + )], ), ), ), @@ -1059,6 +1064,11 @@ class test_idviews(Declarative): memberof_hostgroup=[hostgroup2], memberofindirect_hostgroup=[hostgroup1], ipakrboktoauthasdelegate=False, + krbpwdpolicyreference=[DN( + u'cn=Default Host Password Policy', + api.env.container_host, + api.env.basedn, + )], ), ), ), @@ -1113,6 +1123,11 @@ class test_idviews(Declarative): memberofindirect_hostgroup=[hostgroup1], ipaassignedidview=[idview1], ipakrboktoauthasdelegate=False, + krbpwdpolicyreference=[DN( + u'cn=Default Host Password Policy', + api.env.container_host, + api.env.basedn, + )], ), ), ), @@ -1143,6 +1158,11 @@ class test_idviews(Declarative): memberof_hostgroup=[hostgroup1], ipaassignedidview=[idview1], ipakrboktoauthasdelegate=False, + krbpwdpolicyreference=[DN( + u'cn=Default Host Password Policy', + api.env.container_host, + api.env.basedn, + )], ), ), ), @@ -1216,6 +1236,11 @@ class test_idviews(Declarative): serverhostname=[host1], memberof_hostgroup=[hostgroup1], ipakrboktoauthasdelegate=False, + krbpwdpolicyreference=[DN( + u'cn=Default Host Password Policy', + api.env.container_host, + api.env.basedn, + )], ), ), ), @@ -1244,6 +1269,11 @@ class test_idviews(Declarative): objectclass=objectclasses.host, serverhostname=[host3], ipakrboktoauthasdelegate=False, + krbpwdpolicyreference=[DN( + u'cn=Default Host Password Policy', + api.env.container_host, + api.env.basedn, + )], ), ), ), @@ -1499,6 +1529,11 @@ class test_idviews(Declarative): objectclass=objectclasses.host, serverhostname=[host4], ipakrboktoauthasdelegate=False, + krbpwdpolicyreference=[DN( + u'cn=Default Host Password Policy', + api.env.container_host, + api.env.basedn, + )], ), ), ), diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py index fb2c4e7..f3940f4 100644 --- a/ipatests/test_xmlrpc/test_service_plugin.py +++ b/ipatests/test_xmlrpc/test_service_plugin.py @@ -270,6 +270,11 @@ class test_service(Declarative): ipakrbrequirespreauth=True, ipakrbokasdelegate=False, ipakrboktoauthasdelegate=False, + krbpwdpolicyreference=[DN( + u'cn=Default Service Password Policy', + api.env.container_service, + api.env.basedn, + )], ), ), ), @@ -334,6 +339,11 @@ class test_service(Declarative): ipakrbrequirespreauth=True, ipakrbokasdelegate=False, ipakrboktoauthasdelegate=False, + krbpwdpolicyreference=[DN( + u'cn=Default Service Password Policy', + api.env.container_service, + api.env.basedn, + )], ), ], ), diff --git a/ipatests/test_xmlrpc/tracker/host_plugin.py b/ipatests/test_xmlrpc/tracker/host_plugin.py index 5c2b4ee..d980177 100644 --- a/ipatests/test_xmlrpc/tracker/host_plugin.py +++ b/ipatests/test_xmlrpc/tracker/host_plugin.py @@ -40,7 +40,8 @@ class HostTracker(KerberosAliasMixin, Tracker): retrieve_all_keys = retrieve_keys | { u'cn', u'ipakrbokasdelegate', u'ipakrbrequirespreauth', u'ipauniqueid', u'krbcanonicalname', u'managing_host', u'objectclass', - u'serverhostname', u'ipakrboktoauthasdelegate'} + u'serverhostname', u'ipakrboktoauthasdelegate', + u'krbpwdpolicyreference'} create_keys = retrieve_keys | {'objectclass', 'ipauniqueid', 'randompassword'} update_keys = retrieve_keys - {'dn'} @@ -121,6 +122,11 @@ def track_create(self): managing_host=[self.fqdn], serverhostname=[self.shortname], ipakrboktoauthasdelegate=False, + krbpwdpolicyreference=[DN( + u'cn=Default Host Password Policy', + self.api.env.container_host, + self.api.env.basedn, + )], ) self.exists = True diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py index 7e51aca..e0756a8 100644 --- a/ipatests/test_xmlrpc/tracker/service_plugin.py +++ b/ipatests/test_xmlrpc/tracker/service_plugin.py @@ -43,7 +43,7 @@ class ServiceTracker(KerberosAliasMixin, Tracker): retrieve_all_keys = retrieve_keys | { u'ipaKrbPrincipalAlias', u'ipaUniqueID', u'krbExtraData', u'krbLastPwdChange', u'krbLoginFailedCount', u'memberof', - u'objectClass', u'ipakrbrequirespreauth', + u'objectClass', u'ipakrbrequirespreauth', u'krbpwdpolicyreference', u'ipakrbokasdelegate', u'ipakrboktoauthasdelegate'} create_keys = (retrieve_keys | {u'objectclass', u'ipauniqueid'}) - { @@ -108,6 +108,11 @@ def track_create(self, **options): u'krbcanonicalname': [u'{0}'.format(self.name)], u'has_keytab': False, u'ipakrboktoauthasdelegate': False, + u'krbpwdpolicyreference': [DN( + u'cn=Default Service Password Policy', + self.api.env.container_service, + self.api.env.basedn, + )], } for key in self.options:
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code