[Freeipa-devel] [PATCH 556-557] Add option to disable setkeytab extended operations
Alexander Bokovoy
abokovoy at redhat.com
Tue Dec 1 08:11:45 UTC 2015
On Mon, 30 Nov 2015, Simo Sorce wrote:
>On Wed, 2015-11-25 at 09:47 -0500, Simo Sorce wrote:
>> On Wed, 2015-11-25 at 09:02 -0500, Rob Crittenden wrote:
>> > Jan Cholasta wrote:
>> > > On 24.11.2015 22:17, Simo Sorce wrote:
>> > >> On Tue, 2015-11-24 at 14:57 -0500, Simo Sorce wrote:
>> > >>> On Tue, 2015-11-24 at 14:42 -0500, Simo Sorce wrote:
>> > >>>> Since some time we use the getkeytab operation to fetch keytabs on
>> > >>>> newer
>> > >>>> clients. According to bug #232 setkeytab can be used to circumvent
>> > >>>> password quality controls so it needs to be slowly retired.
>> > >>>>
>> > >>>> The attached patches implement #5485 in 2 parts.
>> > >>>>
>> > >>>> The first introduces the option DisableSetKeytab which globally
>> > >>>> disables
>> > >>>> the setkeytab extended operation. This is set to false by default for
>> > >>>> backwards compatibility.
>> > >>>>
>> > >>>> The second introduces an option called DisableUserSetKeytab, which is
>> > >>>> active by default in new installs (but not in upgraded ones), and only
>> > >>>> disables the use of setkeytab for ipa suers, but not for
>> > >>>> hosts/services.
>> > >>>> This is because user's are the ones that may abuse the interface to
>> > >>>> escape password policies and users also normally do not acquire
>> > >>>> keytabs,
>> > >>>> so it is a safe bet to disable just them by default in new installs.
>> > >>>>
>> > >>>> (Testing in progress)
>> > >>>
>> > >>> Tested and working as expected.
>> > >>
>> > >> I realized that adding options to ipaConfig require to add them in the
>> > >> UI as well, attached patches add options in API.txt and config.py
>> > >> Make now complain I should change API Major or Minor, but it is not
>> > >> clear to me why given this are additional values and no real change or
>> > >> new function is introduced. What's the recommendation ?
>> > >
>> > > When does make complain? It is supposed to complain only when API.txt
>> > > does not match code.
>> > >
>> > > Anyway, we usually bump minor version even for backward compatible
>> > > changes, see e.g. commit 9549a59.
>> > >
>> >
>> > The point of API.txt (and the heavy client) was to save a round-trip.
>> > Being able to pass in an invalid option would void that rule hence
>> > having to update the API when new values are added.
>> >
>> > rob
>>
>> Ok added version change to the second patch (so we bump it only once
>> given these are basically related changes.
>
>Bump, is this ok ?
This patch is fine but please fix setkeytab use in ipa-sam before
committing this patch.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list