On Fri, Jul 11, 2014 at 11:20:25AM +0200, Michael Ströder wrote: > On Fri, 11 Jul 2014 10:45:10 +0200 Jakub Hrozek <[email protected]> wrote > > > On Fri, Jul 11, 2014 at 08:58:10AM +0200, Michael Ströder wrote: > > > > HBAC is very similar to this but already done for you. > > > > > > > > > http://www.freeipa.org/docs/master/html-desktop/index.html#configuring-host-a > > > > ccess > > > > Does it also disallow LDAP read access to users/groups/sudoers which are > > > not allowed to login or to be used on a host? > > > > No, it's pure access control evaluated during the PAM access phase. > > This means: If a server gets hacked the attacker can find out more about the > rest of the server infrastructure by queyring FreeIPA's LDAP backend.
I think this is more generic attack vector than just reading the info from LDAP. If the attacker gains control over an IPA client, they can impersonate the host completely, because they have access to the host keytab.. bottom line -- set up sane ACIs :-) _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
