[Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs
Simo Sorce
simo at redhat.com
Fri Sep 20 19:35:47 UTC 2013
This patch set is an initial implementation of ticket #3859
It seem to be working fine in my initial testing but I have not yet
tested all cases.
However I wonted to throw it on the list to get some initial feedback
about the choices I made wrt access control and ipa-getkeytab flags and
default behavior.
In particular, the current patch set would require us to make
host/service keytabs readable by the requesting party (whoever that is,
admin or host itself) in order to allow it to get back the actual
keytab. I am not sure this is ideal. Also write access to the keytab is
still all is needed to allow someone to change it.
Neither is ideal, but it was simpler as a first implementation. In
particular I think we should allow either permission indipendently, and
it should be something an admin can change. However I do not like
allowing normal writes or reads to these attributes, mostly because w/o
access to the master key nobody can really make sense of actually
reading out the contents of KrbPrincipalKey or could write a blob that
can be successfully decrypted.
So I was wondering if we might want to prevent both reading and writing
via LDAP (except via extended operations) and instead use another method
to determine access patterns.
As for ipa-getkeytab is everyone ok with tryin the new method first and
always falling back to the old one (if a password has been provided) ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-keytabs-Modularize-setkeytab-operation.patch
Type: text/x-patch
Size: 16436 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130920/ec7fabe5/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-keytabs-Expose-and-modify-key-encoding-function.patch
Type: text/x-patch
Size: 5300 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130920/ec7fabe5/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-keytab-Add-new-extended-operation-to-get-a-keytab.patch
Type: text/x-patch
Size: 16191 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130920/ec7fabe5/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-ipa-getkeytab-Modularize-ldap_set_keytab-function.patch
Type: text/x-patch
Size: 11208 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130920/ec7fabe5/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-ipa-getkeytab-Add-support-for-get_keytab-extop.patch
Type: text/x-patch
Size: 15882 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130920/ec7fabe5/attachment-0004.bin>
More information about the Freeipa-devel
mailing list