[Freeipa-devel] [PATCH 556-557] Add option to disable setkeytab extended operations

Tue Dec 1 21:07:32 UTC 2015

On Tue, 2015-12-01 at 17:20 +0200, Alexander Bokovoy wrote:
> On Tue, 01 Dec 2015, Martin Kosek wrote:
> >On 12/01/2015 02:59 PM, Simo Sorce wrote:
> >> On Tue, 2015-12-01 at 14:42 +0100, Martin Kosek wrote:
> >>> On 12/01/2015 02:38 PM, Simo Sorce wrote:
> >>>> On Tue, 2015-12-01 at 10:11 +0200, Alexander Bokovoy wrote:
> >>>>> On Mon, 30 Nov 2015, Simo Sorce wrote:
> >>>>>> On Wed, 2015-11-25 at 09:47 -0500, Simo Sorce wrote:
> >>>>>>> On Wed, 2015-11-25 at 09:02 -0500, Rob Crittenden wrote:
> >>>>>>>> Jan Cholasta wrote:
> >>>>>>>>> On 24.11.2015 22:17, Simo Sorce wrote:
> >>>>>>>>>> On Tue, 2015-11-24 at 14:57 -0500, Simo Sorce wrote:
> >>>>>>>>>>> On Tue, 2015-11-24 at 14:42 -0500, Simo Sorce wrote:
> >>>>>>>>>>>> Since some time we use the getkeytab operation to fetch keytabs on
> >>>>>>>>>>>> newer
> >>>>>>>>>>>> clients. According to bug #232 setkeytab can be used to circumvent
> >>>>>>>>>>>> password quality controls so it needs to be slowly retired.
> >>>>>>>>>>>>
> >>>>>>>>>>>> The attached patches implement #5485 in 2 parts.
> >>>>>>>>>>>>
> >>>>>>>>>>>> The first introduces the option DisableSetKeytab which globally
> >>>>>>>>>>>> disables
> >>>>>>>>>>>> the setkeytab extended operation. This is set to false by default for
> >>>>>>>>>>>> backwards compatibility.
> >>>>>>>>>>>>
> >>>>>>>>>>>> The second introduces an option called DisableUserSetKeytab, which is
> >>>>>>>>>>>> active by default in new installs (but not in upgraded ones), and only
> >>>>>>>>>>>> disables the use of setkeytab for ipa suers, but not for
> >>>>>>>>>>>> hosts/services.
> >>>>>>>>>>>> This is because user's are the ones that may abuse the interface to
> >>>>>>>>>>>> escape password policies and users also normally do not acquire
> >>>>>>>>>>>> keytabs,
> >>>>>>>>>>>> so it is a safe bet to disable just them by default in new installs.
> >>>>>>>>>>>>
> >>>>>>>>>>>> (Testing in progress)
> >>>>>>>>>>>
> >>>>>>>>>>> Tested and working as expected.
> >>>>>>>>>>
> >>>>>>>>>> I realized that adding options to ipaConfig require to add them in the
> >>>>>>>>>> UI as well, attached patches add options in API.txt and config.py
> >>>>>>>>>> Make now complain I should change API Major or Minor, but it is not
> >>>>>>>>>> clear to me why given this are additional values and no real change or
> >>>>>>>>>> new function is introduced. What's the recommendation ?
> >>>>>>>>>
> >>>>>>>>> When does make complain? It is supposed to complain only when API.txt
> >>>>>>>>> does not match code.
> >>>>>>>>>
> >>>>>>>>> Anyway, we usually bump minor version even for backward compatible
> >>>>>>>>> changes, see e.g. commit 9549a59.
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> The point of API.txt (and the heavy client) was to save a round-trip.
> >>>>>>>> Being able to pass in an invalid option would void that rule hence
> >>>>>>>> having to update the API when new values are added.
> >>>>>>>>
> >>>>>>>> rob
> >>>>>>>
> >>>>>>> Ok added version change to the second patch (so we bump it only once
> >>>>>>> given these are basically related changes.
> >>>>>>
> >>>>>> Bump, is this ok ?
> >>>>> This patch is fine but please fix setkeytab use in ipa-sam before
> >>>>> committing this patch.
> >>>>
> >>>> This patch does not disable setkeytab yet, so it can go in right away
> >>>> (it blocks other patches already). We have a bug to change ipa-sam,
> >>>> should we mark it blocker for 4.4 ?
> >>>
> >>> We also have to fix the permission to change keytab, so that it uses the new
> >>> style (https://fedorahosted.org/freeipa/ticket/5487). I would actually make
> >>> this ticket and the ipa-sam ticket a blocker for this patch set.
> >>>
> >>> Otherwise you are actually introducing a switch that breaks FreeIPA as some of
> >>> it's core server functions still use the old method.
> >>
> >> The point of this patchset is to introduce the switch early so that
> >> current server will support the off switch when newer servers down the
> >> road are ready to flip it. The defaults are still to allow these
> >> operations for services/hosts.
> >
> >I still do not get the logic about an early switch. Now, if switch is turned
> >on, FreeIPA server breaks on several places. I would really rather expect the
> >switch to be introduced when the server itself supports it. Then, admin would
> >enable it when the clients are sufficiently updated and can use the new method.
> >
> >Why would admin want to enable the switch early if it breaks FreeIPA some of
> >the FreeIPA servers? Permission can be upgraded in newer version and get
> >replicated, that's fine. But ipa-sam would be still broken on this old FreeIPA
> >server.
> Old server is not a problem here: ipa-sam only talks to the
> localhost-based server as we always use ldapi protocol. So if server is
> running old-behavior FreeIPA, ipa-sam on the same server will work against it.
> 
> What I don't want to have is a situation where setkeytab is disabled and
> a new server obeys it but ipa-sam on this new server is not updated and
> will expectedly fail. We are not that forced to do the change right now
> in 4.3, given that the default will still be to keep setkeytab, thus we
> can wait with this patch until ipa-sam is fixed and then push both
> patches into the closest release, be it 4.3.x (x>=0) or whatever is the
> next one.
> 

Ok I have a prototype patch for ipasam, if it works for Alexander
tomorrow I'll send it to the list.
Meanwhile rebased 556 and 557 as they were conflicting with master where
VERSION has changed.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-556-3-Introduce-option-to-disable-the-SetKeytab-exop.patch
Type: text/x-patch
Size: 5183 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151201/8a8c2248/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-557-4-Disable-User-s-ability-to-use-the-setkeytab-exop.patch
Type: text/x-patch
Size: 7556 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151201/8a8c2248/attachment-0001.bin>