[Freeipa-devel] [PATCH] Add option to disable setkeytab extended operations
Simo Sorce
simo at redhat.com
Tue Nov 24 19:57:18 UTC 2015
On Tue, 2015-11-24 at 14:42 -0500, Simo Sorce wrote:
> Since some time we use the getkeytab operation to fetch keytabs on newer
> clients. According to bug #232 setkeytab can be used to circumvent
> password quality controls so it needs to be slowly retired.
>
> The attached patches implement #5485 in 2 parts.
>
> The first introduces the option DisableSetKeytab which globally disables
> the setkeytab extended operation. This is set to false by default for
> backwards compatibility.
>
> The second introduces an option called DisableUserSetKeytab, which is
> active by default in new installs (but not in upgraded ones), and only
> disables the use of setkeytab for ipa suers, but not for hosts/services.
> This is because user's are the ones that may abuse the interface to
> escape password policies and users also normally do not acquire keytabs,
> so it is a safe bet to disable just them by default in new installs.
>
> (Testing in progress)
Tested and working as expected.
Simo.
> Simo.
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list