[Freeipa-devel] [PATCH] Add option to disable setkeytab extended operations
Alexander Bokovoy
abokovoy at redhat.com
Tue Dec 1 08:21:28 UTC 2015
On Tue, 01 Dec 2015, Petr Spacek wrote:
>On 24.11.2015 20:42, Simo Sorce wrote:
>> Since some time we use the getkeytab operation to fetch keytabs on newer
>> clients. According to bug #232 setkeytab can be used to circumvent
>> password quality controls so it needs to be slowly retired.
>>
>> The attached patches implement #5485 in 2 parts.
>>
>> The first introduces the option DisableSetKeytab which globally disables
>> the setkeytab extended operation. This is set to false by default for
>> backwards compatibility.
>>
>> The second introduces an option called DisableUserSetKeytab, which is
>> active by default in new installs (but not in upgraded ones), and only
>> disables the use of setkeytab for ipa suers, but not for hosts/services.
>> This is because user's are the ones that may abuse the interface to
>> escape password policies and users also normally do not acquire keytabs,
>> so it is a safe bet to disable just them by default in new installs.
>
>On a related note, how this works with plain kadmin & kpasswd protocols?
It is unrelated. We don't support principal manipulation via kadmin
protocol.
>Do I remember correctly that there is no way to download keytab without
>re-generating it?
New keytab extended operation allows retrieval without re-generation
since FreeIPA 4.0. See http://www.freeipa.org/page/V4/Keytab_Retrieval
and http://www.freeipa.org/page/V4/Keytab_Retrieval_Management
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list