Re: [Freeipa-users] Actions for a stolen/compromised IPA Client

2016-11-16 Thread Nordgren, Bryce L -FS
Ummm,

Kinit should work from any host, whether that host is part of the domain or 
not. It contains no inherent knowledge of any passwords. If it succeeds, then 
you either picked a bad password, stored the password in a plaintext file, or 
an actual authorized user ran it. It seems that it would make more sense to 
fret about how to somehow revoke any TGTs already issued to that machine.

Kinit authenticates the person running it, not the host it is running from. In 
your example, it successfully authenticated you because you know your admin 
password. If an attacker knows your admin password, focusing on your one 
compromised host is _not_ where you should be spending your energies.

Bryce



-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Paessens, Daniel
Sent: Wednesday, November 16, 2016 2:58 AM
To: Martin Babinsky <mbabi...@redhat.com>; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Actions for a stolen/compromised IPA Client

Indeed the kinit keeps working correctly.
If you give a good password it retrieves the tokens correctly.
Thus it's not only DOS, but also an potentional brutal password retriever as 
well.
Blocking on firewall level,ok, but what if you use DHCP. It's more difficult to 
protect it, through that way.

Daniel

-Original Message-
From: Martin Babinsky [mailto:mbabi...@redhat.com]
Sent: Wednesday, November 16, 2016 10:30 AM
To: Paessens, Daniel <daniel.paess...@hpe.com>; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Actions for a stolen/compromised IPA Client

On 11/16/2016 10:04 AM, Paessens, Daniel wrote:
> Currently am I looking for a workable solution for the following situation:
> Let's say that an ipa client has been stolen (or compromised).
> What can we do to block all access from it, towards IPA (and rest)
> For example if we use the command "ipa host-disable" it's noticed
> that IPA users are no longer able to login into the system. But if you
> log into the system as root. Then you can still run (successfully) the
> command kinit, and optain a ticket for it.
> Even if you delete the host from the directory, the behavior
> remains the same.
> Can this anyhow be blocked.
> Regards,
> Daniel
>
>
>

Hi Daniel,

host-disable removes the host kerberos keys and certificates from LDAP as you 
correctly observer. This means that all services on the compromised host stop 
working. SSSD will also stop working since it uses the now invalid host keytab 
to perform user lookup, that's why ssh'ing to host as IPA user stops working.

However, there is nothing preventing the attacker to try to kinit as admin 
directly without sssd on the machine, which can potentialy lead to DoS attack 
on the admin user. So if you realize that the host was compromised it is best 
to first run hist-disable and then block all traffic from that host on ports 88 
tcp/udp (Kerberos), 464 tcp/udp (kadmin), 749 tcp/udp (kpasswd IIRC) and 
LDAP(S) ports (389, 636 tcp).

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Actions for a stolen/compromised IPA Client

2016-11-16 Thread Paessens, Daniel
Indeed the kinit keeps working correctly.
If you give a good password it retrieves the tokens correctly.
Thus it's not only DOS, but also an potentional brutal password retriever as 
well.
Blocking on firewall level,ok, but what if you use DHCP. It's more difficult to 
protect it, through that way.

Daniel

-Original Message-
From: Martin Babinsky [mailto:mbabi...@redhat.com] 
Sent: Wednesday, November 16, 2016 10:30 AM
To: Paessens, Daniel <daniel.paess...@hpe.com>; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Actions for a stolen/compromised IPA Client

On 11/16/2016 10:04 AM, Paessens, Daniel wrote:
> Currently am I looking for a workable solution for the following situation:
> Let's say that an ipa client has been stolen (or compromised). 
> What can we do to block all access from it, towards IPA (and rest)
> For example if we use the command "ipa host-disable" it's noticed 
> that IPA users are no longer able to login into the system. But if you 
> log into the system as root. Then you can still run (successfully) the 
> command kinit, and optain a ticket for it.
> Even if you delete the host from the directory, the behavior 
> remains the same.
> Can this anyhow be blocked.
> Regards,
> Daniel
>
>
>

Hi Daniel,

host-disable removes the host kerberos keys and certificates from LDAP as you 
correctly observer. This means that all services on the compromised host stop 
working. SSSD will also stop working since it uses the now invalid host keytab 
to perform user lookup, that's why ssh'ing to host as IPA user stops working.

However, there is nothing preventing the attacker to try to kinit as admin 
directly without sssd on the machine, which can potentialy lead to DoS attack 
on the admin user. So if you realize that the host was compromised it is best 
to first run hist-disable and then block all traffic from that host on ports 88 
tcp/udp (Kerberos), 464 tcp/udp (kadmin), 749 tcp/udp (kpasswd IIRC) and 
LDAP(S) ports (389, 636 tcp).

--
Martin^3 Babinsky

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Actions for a stolen/compromised IPA Client

2016-11-16 Thread Martin Babinsky

On 11/16/2016 10:04 AM, Paessens, Daniel wrote:

Currently am I looking for a workable solution for the following situation:
Let's say that an ipa client has been stolen (or compromised). What
can we do to block all access from it, towards IPA (and rest)
For example if we use the command "ipa host-disable" it's noticed
that IPA users are no longer able to login into the system. But if you
log into the system as root. Then you can still run (successfully) the
command kinit, and optain a ticket for it.
Even if you delete the host from the directory, the behavior remains
the same.
Can this anyhow be blocked.
Regards,
Daniel





Hi Daniel,

host-disable removes the host kerberos keys and certificates from LDAP 
as you correctly observer. This means that all services on the 
compromised host stop working. SSSD will also stop working since it uses 
the now invalid host keytab to perform user lookup, that's why ssh'ing 
to host as IPA user stops working.


However, there is nothing preventing the attacker to try to kinit as 
admin directly without sssd on the machine, which can potentialy lead to 
DoS attack on the admin user. So if you realize that the host was 
compromised it is best to first run hist-disable and then block all 
traffic from that host on ports 88 tcp/udp (Kerberos), 464 tcp/udp 
(kadmin), 749 tcp/udp (kpasswd IIRC) and LDAP(S) ports (389, 636 tcp).


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project