[Freeipa-users] Re: rotate host keytabs
sure. We’re not actually doing this. > On Jun 22, 2018, at 11:38 AM, Robbie Harwood wrote: > > Charles Hedrick writes: > >> I can see only one possible advantage. If someone becomes root and >> steals your keytab, regular rotation will limit how long the >> compromise lasts. Of course that assumes that you fix the problem that >> allowed them to become root in the first place. > > And that they don't give themselves persistence on the system once they > have root. Persistence is almost impossible to detect when one is > actively looking for it - I would at the very least reinstall the entire > OS from scratch on any compromised machine. Depending on threat model, > it's worth considering an entirely new machine for baremetal compromise. > >> You could add the new credential, keeping old and new, and then wait >> long enough before removing the old one that no one would still be >> using it. I haven’t tried that though. > > It's still a bit tricky because you have to prune the keytab, but yes, > it can be done. But again, I don't see a use case. > > Thanks, > --Robbie ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/TYGWM5C2AZCMK7VJLXKDPOBGNZYAFHTF/
[Freeipa-users] Re: rotate host keytabs
I can see only one possible advantage. If someone becomes root and steals your keytab, regular rotation will limit how long the compromise lasts. Of course that assumes that you fix the problem that allowed them to become root in the first place. You could add the new credential, keeping old and new, and then wait long enough before removing the old one that no one would still be using it. I haven’t tried that though. > On May 17, 2018, at 7:48 PM, Robbie Harwood via FreeIPA-users > wrote: > > Natxo Asenjo via FreeIPA-users > writes: > >> does anybody rotate host keytabs? Is it worth it security-wise? > > Hi, krb5 maintainer here. Keytab rotation is ugly. I recommend not > doing it if you can avoid it largely because one of two things will > happen: > > - All clients who have credentials against the old keytab will see > messy, inexplicable authentication failures. > > - If you try to get around that by keeping the old entry around in the > keytab (i.e., multiple kvnos), you haven't actually accomplished > anything. > > So there's a serious trade-off between any security benefit that might > accrue and the burden of cleaning up afterward. > > Service keytabs (of which host keytabs are an instance) in freeIPA > aren't tied to a user-supplied password. (Outside freeIPA, they usually > aren't either.) Therefore, I don't see a vector in which rotating them > is helpful, unless you're worried about the strength of the underlying > cryptography (and if you're worried about AES-256, I'm not sure there's > much anyone can do to help). > > Thanks, > --Robbie > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZWV6GD3XX47SFMM74SXC5XZLZLHZB2Q6/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GHRFUVBQVWMZVNNOOSVNKJDNUJPJFP2D/
[Freeipa-users] Re: rotate host keytabs
Charles Hedrick writes: > I can see only one possible advantage. If someone becomes root and > steals your keytab, regular rotation will limit how long the > compromise lasts. Of course that assumes that you fix the problem that > allowed them to become root in the first place. And that they don't give themselves persistence on the system once they have root. Persistence is almost impossible to detect when one is actively looking for it - I would at the very least reinstall the entire OS from scratch on any compromised machine. Depending on threat model, it's worth considering an entirely new machine for baremetal compromise. > You could add the new credential, keeping old and new, and then wait > long enough before removing the old one that no one would still be > using it. I haven’t tried that though. It's still a bit tricky because you have to prune the keytab, but yes, it can be done. But again, I don't see a use case. Thanks, --Robbie signature.asc Description: PGP signature ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/474NJCO736NL5L5YPFBEFVCNPCUCX6V3/
[Freeipa-users] Re: rotate host keytabs
Natxo Asenjo via FreeIPA-users writes: > does anybody rotate host keytabs? Is it worth it security-wise? Hi, krb5 maintainer here. Keytab rotation is ugly. I recommend not doing it if you can avoid it largely because one of two things will happen: - All clients who have credentials against the old keytab will see messy, inexplicable authentication failures. - If you try to get around that by keeping the old entry around in the keytab (i.e., multiple kvnos), you haven't actually accomplished anything. So there's a serious trade-off between any security benefit that might accrue and the burden of cleaning up afterward. Service keytabs (of which host keytabs are an instance) in freeIPA aren't tied to a user-supplied password. (Outside freeIPA, they usually aren't either.) Therefore, I don't see a vector in which rotating them is helpful, unless you're worried about the strength of the underlying cryptography (and if you're worried about AES-256, I'm not sure there's much anyone can do to help). Thanks, --Robbie signature.asc Description: PGP signature ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZWV6GD3XX47SFMM74SXC5XZLZLHZB2Q6/