[Freeipa-devel] KDC proxy implementation specs

[Nathaniel McCallum]

On Fri, 2015-05-29 at 08:11 +0200, Jan Cholasta wrote:
> Dne 29.5.2015 v 08:07 Nathaniel McCallum napsal(a):
> > On Fri, 2015-05-29 at 08:02 +0200, Jan Cholasta wrote:
> > > Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a):
> > > > On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote:
> > > > > Jan has suggested to ipaConfigString=kdcProxyEnabled in
> > > > > cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc instead of
> > > > > ipaConfigString=enabledService in
> > > > > cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. It makes sense 
> > > > > to
> > > > > me.
> > > > > After all MS-KKDCP is just another transport for the KDC. [4]
> > > > 
> > > > There may be a security concern here if we aren't careful. I 
> > > > think
> > > > I'm
> > > > in favor of KDCPROXY since it is a different application.
> > > 
> > > What concern would that be? It has been already established that 
> > > KDC
> > > proxy is not a different application, but rather a subcomponent 
> > > of
> > > KDC
> > > in the other thread.
> > 
> > Accidental exposure of something else in
> > cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc. My fear comes from the 
> > fact
> > that in order to make this work we have to expose stuff in
> > cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc to apache. These kind of 
> > cross
> > -domain security allowances always raises red flags for me.
> 
> Well, the only exposed thing would be ipaConfigString, which always 
> has 
> an "enabledService" value for KDC and optionally would have 
> "kdcProxyEnabled" value if KDC proxy is enabled. IMO if someone wants 
> to 
> put something sensitive in there, they should use a different 
> attribute 
> anyway.

So say we now. Then, five years from now, when this conversation is a
distant memory (if that), someone will think it is a good idea to do
something stupid. :)

> > Don't cross the streams... it would be bad. :)
> 
> Unless Zuul comes into the picture.

Is Zuul the intern in 2020 that exposes bad stuff?

Nathaniel