On Mon, Apr 20, 2020, at 10:09 AM, Andreas Hasenack wrote: > Hi, > > I'm wondering why krb5_validate defaults to false in sssd-krb5, and > apparently it's the same default in the mit kerberos libraries (via > verify_ap_req_nofail). It should solve the KDC impersonation attack, > at the expense of a slightly more complicated setup (create the host > principal, extract key, create keytab). Is it because of this added > difficulty in setting up things, or does it not work on very common > scenarios/applications? Or just one of those hard to do transitions? >
In my option, krb5_validate is broken. It chooses the name on first key in the keytab to attempt validation, rather than either the newest or the one matching ldap_sasl_authid (or an equivalent setting.) This causes issues where a host may have previously had a service principal but it got reassigned to another host, or due to renaming a host without removing the old name from the keytab. (RH support considered it "not a bug.") V/r, James Cassell _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
