Re: [Freeipa-users] Restrict AD users from passwd
On the AD side, they limit the potential to change the AD password by deploying a modified the msgina.dll. Otherwise, the user still has the ways to throw a wrench in the system, we're just doing our best to limit the opportunity for this action. On Wed, Aug 14, 2013 at 10:32 AM, Simo Sorce wrote: > On Wed, 2013-08-14 at 09:48 -0400, Brian Lee wrote: > > Hi Sumit, > > > > > > Thanks for the suggestion. I'll have to give this some thought, since > > we have 100+ AD servers, this might not be well received by the AD > > team. If anyone can think of a better mousetrap than this, let me > > know. > > Do you also block the 'net user' command on Windows clients ? > It's the same as 'passwd' on Linux clients. > > I would address the problem by using proper password policies as I (now) > see Petr recommended i another email. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Restrict AD users from passwd
On Wed, 2013-08-14 at 09:48 -0400, Brian Lee wrote: > Hi Sumit, > > > Thanks for the suggestion. I'll have to give this some thought, since > we have 100+ AD servers, this might not be well received by the AD > team. If anyone can think of a better mousetrap than this, let me > know. Do you also block the 'net user' command on Windows clients ? It's the same as 'passwd' on Linux clients. I would address the problem by using proper password policies as I (now) see Petr recommended i another email. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Restrict AD users from passwd
On 14.8.2013 15:48, Brian Lee wrote: Hi Sumit, Thanks for the suggestion. I'll have to give this some thought, since we have 100+ AD servers, this might not be well received by the AD team. If anyone can think of a better mousetrap than this, let me know. Thanks, Brian On Wed, Aug 14, 2013 at 9:37 AM, Sumit Bose wrote: On Wed, Aug 14, 2013 at 09:19:17AM -0400, Brian Lee wrote: Hi All, Our current account management policy requires that users change their AD passwords via a special portal, however I've noticed that this can be bypassed by issuing passwd on a Linux system while logged in with AD credentials, thus changing their AD password. Any thoughts on the best way to prevent this action? What I've considered so far is removing the trust in AD, effectively creating a one-way trust, but that would limit functionality for future interoperability. Additionally, we could change the permissions for passwd on each Linux system, but this would be somewhat hackish and also complicated to enforce, since we're waiting on Foreman + Puppet to properly be integrated into Katello for our configuration management solution. Any way to restrict this via the FreeIPA UI? I think the only safe way to achieve this is to block port 464 on the AD servers for the Linux hosts. Because basically what passwd is doing here via SSSD is to change the Kerberos password. The same can be done with the kpasswd command, it does not require any privileges the user only needs to know his current password. So even if we add an option to force SSSD to reject password changes for users from trusted domains there are other ways for users to change the password which cannot be controlled by IPA. Please note that changing the AD password with kpasswd would even work without trust. IMHO the correct approach is to enforce password policy on AD side, otherwise users can use standard Kerberos protocol and do the change anyway (i.e. effectively bypass IPA and your portal completely). AFAIK AD has some checkbox which determines if the user is allowed to change own password or not. The next question is how 'the portal' does the password change and if it will continue to work if you disallow users to change own password on AD side. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Restrict AD users from passwd
Hi Sumit, Thanks for the suggestion. I'll have to give this some thought, since we have 100+ AD servers, this might not be well received by the AD team. If anyone can think of a better mousetrap than this, let me know. Thanks, Brian On Wed, Aug 14, 2013 at 9:37 AM, Sumit Bose wrote: > On Wed, Aug 14, 2013 at 09:19:17AM -0400, Brian Lee wrote: > > Hi All, > > > > Our current account management policy requires that users change their AD > > passwords via a special portal, however I've noticed that this can be > > bypassed by issuing passwd on a Linux system while logged in with AD > > credentials, thus changing their AD password. > > > > Any thoughts on the best way to prevent this action? > > > > What I've considered so far is removing the trust in AD, effectively > > creating a one-way trust, but that would limit functionality for future > > interoperability. > > > > Additionally, we could change the permissions for passwd on each Linux > > system, but this would be somewhat hackish and also complicated to > enforce, > > since we're waiting on Foreman + Puppet to properly be integrated into > > Katello for our configuration management solution. > > > > Any way to restrict this via the FreeIPA UI? > > I think the only safe way to achieve this is to block port 464 on the AD > servers for the Linux hosts. Because basically what passwd is doing here > via SSSD is to change the Kerberos password. The same can be done with > the kpasswd command, it does not require any privileges the user only > needs to know his current password. So even if we add an option to force > SSSD to reject password changes for users from trusted domains there are > other ways for users to change the password which cannot be controlled > by IPA. > > Please note that changing the AD password with kpasswd would even work > without trust. > > HTH > > bye, > Sumit > > > > > Thanks, > > Brian > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Restrict AD users from passwd
On Wed, Aug 14, 2013 at 09:19:17AM -0400, Brian Lee wrote: > Hi All, > > Our current account management policy requires that users change their AD > passwords via a special portal, however I've noticed that this can be > bypassed by issuing passwd on a Linux system while logged in with AD > credentials, thus changing their AD password. > > Any thoughts on the best way to prevent this action? > > What I've considered so far is removing the trust in AD, effectively > creating a one-way trust, but that would limit functionality for future > interoperability. > > Additionally, we could change the permissions for passwd on each Linux > system, but this would be somewhat hackish and also complicated to enforce, > since we're waiting on Foreman + Puppet to properly be integrated into > Katello for our configuration management solution. > > Any way to restrict this via the FreeIPA UI? I think the only safe way to achieve this is to block port 464 on the AD servers for the Linux hosts. Because basically what passwd is doing here via SSSD is to change the Kerberos password. The same can be done with the kpasswd command, it does not require any privileges the user only needs to know his current password. So even if we add an option to force SSSD to reject password changes for users from trusted domains there are other ways for users to change the password which cannot be controlled by IPA. Please note that changing the AD password with kpasswd would even work without trust. HTH bye, Sumit > > Thanks, > Brian > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Restrict AD users from passwd
Hi All, Our current account management policy requires that users change their AD passwords via a special portal, however I've noticed that this can be bypassed by issuing passwd on a Linux system while logged in with AD credentials, thus changing their AD password. Any thoughts on the best way to prevent this action? What I've considered so far is removing the trust in AD, effectively creating a one-way trust, but that would limit functionality for future interoperability. Additionally, we could change the permissions for passwd on each Linux system, but this would be somewhat hackish and also complicated to enforce, since we're waiting on Foreman + Puppet to properly be integrated into Katello for our configuration management solution. Any way to restrict this via the FreeIPA UI? Thanks, Brian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users