Thanks Andreas,
I am not an expert either on kerberos or on security - I know enough to
be able to spot and verify a problem, but not enough to verify a
sufficient solution, so take what I way with that caveat in mind.
The section you have written seems reasonable, and that is indeed the
main att
I updated the guide at https://discourse.ubuntu.com/t/service-
sssd/11579/ with a section on KDC spoofing, please take a look.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/176
Title:
Ubuntu doc
Hi Andrew, I'm back on this bug since I'm updating the server guide for
the 20.04 release.
Again I didn't add krb5_validate to the guide, mostly because I had
forgotten about this bug here. The new guide is at
https://discourse.ubuntu.com/t/service-sssd/11579
Let me see if I got the attack scenar
** Changed in: serverguide
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: serverguide
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/
Has there been any progress on this issue? Thanks!
** Changed in: sssd (Ubuntu)
Status: New => Invalid
** Changed in: serverguide
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.lau
I don't know why krb5_validate is false by default. I thought it was
historical or to (dubiously) to make setting up easier, but I did some
tests and found, to my surprise, that even with it not set, I could not
log in without an /etc/krb5.keytab file.
In particular, I tried all 6 combinations of
And, is sssd's krb5_validate option overriding krb5 library's
verify_ap_req_nofail?
If this flag is true, then an attempt to verify initial credentials will
fail if the client machine does not have a keytab. The default value is
false.
--
You received this bug notification because you are a mem
Any idea why upstream sets krb5_validate to false by default? I presume
because this would require the extra step of creating a service ticket
for the host where the login happened, if I understood it correctly?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/176
Title:
Ubuntu documentation for sssd/kerberos does not authenticate
authe