[Freeipa-devel] KDC proxy implementation specs
Nathaniel McCallum
npmccallum at redhat.com
Fri May 29 06:15:04 UTC 2015
On Fri, 2015-05-29 at 08:11 +0200, Jan Cholasta wrote:
> Dne 29.5.2015 v 08:07 Nathaniel McCallum napsal(a):
> > On Fri, 2015-05-29 at 08:02 +0200, Jan Cholasta wrote:
> > > Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a):
> > > > On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote:
> > > > > Jan has suggested to ipaConfigString=kdcProxyEnabled in
> > > > > cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc instead of
> > > > > ipaConfigString=enabledService in
> > > > > cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. It makes sense
> > > > > to
> > > > > me.
> > > > > After all MS-KKDCP is just another transport for the KDC. [4]
> > > >
> > > > There may be a security concern here if we aren't careful. I
> > > > think
> > > > I'm
> > > > in favor of KDCPROXY since it is a different application.
> > >
> > > What concern would that be? It has been already established that
> > > KDC
> > > proxy is not a different application, but rather a subcomponent
> > > of
> > > KDC
> > > in the other thread.
> >
> > Accidental exposure of something else in
> > cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc. My fear comes from the
> > fact
> > that in order to make this work we have to expose stuff in
> > cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc to apache. These kind of
> > cross
> > -domain security allowances always raises red flags for me.
>
> Well, the only exposed thing would be ipaConfigString, which always
> has
> an "enabledService" value for KDC and optionally would have
> "kdcProxyEnabled" value if KDC proxy is enabled. IMO if someone wants
> to
> put something sensitive in there, they should use a different
> attribute
> anyway.
So say we now. Then, five years from now, when this conversation is a
distant memory (if that), someone will think it is a good idea to do
something stupid. :)
> > Don't cross the streams... it would be bad. :)
>
> Unless Zuul comes into the picture.
Is Zuul the intern in 2020 that exposes bad stuff?
Nathaniel
More information about the Freeipa-devel
mailing list