[Freeipa-devel] [PATCH] Add option to disable setkeytab extended operations
Simo Sorce
simo at redhat.com
Tue Nov 24 19:42:32 UTC 2015
Since some time we use the getkeytab operation to fetch keytabs on newer
clients. According to bug #232 setkeytab can be used to circumvent
password quality controls so it needs to be slowly retired.
The attached patches implement #5485 in 2 parts.
The first introduces the option DisableSetKeytab which globally disables
the setkeytab extended operation. This is set to false by default for
backwards compatibility.
The second introduces an option called DisableUserSetKeytab, which is
active by default in new installs (but not in upgraded ones), and only
disables the use of setkeytab for ipa suers, but not for hosts/services.
This is because user's are the ones that may abuse the interface to
escape password policies and users also normally do not acquire keytabs,
so it is a safe bet to disable just them by default in new installs.
(Testing in progress)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-556-1-Introduce-option-to-disable-the-SetKeytab-exop.patch
Type: text/x-patch
Size: 3224 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151124/4d500afe/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-557-1-Disable-User-s-ability-to-use-the-setkeytab-exop.patch
Type: text/x-patch
Size: 4848 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151124/4d500afe/attachment-0001.bin>
More information about the Freeipa-devel
mailing list