[Freeipa-devel] [PATCH] Add option to disable setkeytab extended operations
Sumit Bose
sbose at redhat.com
Wed Nov 25 15:52:23 UTC 2015
On Wed, Nov 25, 2015 at 09:54:13AM -0500, Simo Sorce wrote:
> On Wed, 2015-11-25 at 10:24 +0100, Sumit Bose wrote:
> > On Tue, Nov 24, 2015 at 02:42:32PM -0500, Simo Sorce wrote:
> > > Since some time we use the getkeytab operation to fetch keytabs on newer
> > > clients. According to bug #232 setkeytab can be used to circumvent
> > > password quality controls so it needs to be slowly retired.
> >
> > ipasam uses this exop to create the cross-realm TGT principal objects,
> > krbtgt/DOM.A at DOM.B. What should be used instead to make sure that
> > setkeytab can safely be disabled?
>
> It must use the new getkeytab extended operation.
>
> Can you open a ticket to fix this and assign it to me ?
Here you are
https://fedorahosted.org/freeipa/ticket/5495
bye,
Sumit
>
> Simo.
>
> > bye,
> > Sumit
> >
> > >
> > > The attached patches implement #5485 in 2 parts.
> > >
> > > The first introduces the option DisableSetKeytab which globally disables
> > > the setkeytab extended operation. This is set to false by default for
> > > backwards compatibility.
> > >
> > > The second introduces an option called DisableUserSetKeytab, which is
> > > active by default in new installs (but not in upgraded ones), and only
> > > disables the use of setkeytab for ipa suers, but not for hosts/services.
> > > This is because user's are the ones that may abuse the interface to
> > > escape password policies and users also normally do not acquire keytabs,
> > > so it is a safe bet to disable just them by default in new installs.
> > >
> > > (Testing in progress)
> > >
> > > Simo.
> > >
> > > --
> > > Simo Sorce * Red Hat, Inc * New York
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
More information about the Freeipa-devel
mailing list