[Freeipa-devel] [PATCH] restrict setkeytab operation
Simo Sorce
simo at redhat.com
Tue Jul 26 11:38:25 UTC 2016
On Mon, 2016-07-25 at 11:26 -0400, Simo Sorce wrote:
> On Mon, 2016-07-25 at 11:10 -0400, Rob Crittenden wrote:
> > Simo Sorce wrote:
> > > On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:
> > >> Simo Sorce wrote:
> > >>> As described in #232 start restricting the use of the setkeytab
> > >>> operation to just the computers objects.
> > >>>
> > >>> I haven't tested this with older RHEL/CentOS machines that actully use
> > >>> the setkeytab operation as I do not have such an old VM handy right now.
> > >>>
> > >>> Meanwhile I'd like to know if ppl agree with this approach.
> > >>
> > >> What about services?
> > >
> > > Do we automatically acquire keytab for services in the old clients ?
> > >
> > > Are you thinking about scripted ipa-getkytab callouts ?
> >
> > You are limiting access to host keytabs, what about service keytabs?
> > Should they be or are they now similarly restricted?
> >
> > Installers for something like Foreman may try to generate a service
> > keytab in its installer, probably using admin credentials. I am planning
> > to do the same in Openstack.
>
> Ok I'll amend the patch to allow service keytabs to still use the
> setkeytab control still, and restrict only users.
> However note that the idea of using this method is that admin can change
> this default on their own, so they can restrict more or less if they
> want, to that end I need to remember how to set a default that we do not
> override in the update file.
>
> Simo.
>
Amended patch to allow services too.
Only users are excluded.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-569-2-Restrict-the-old-setkeytab-operation.patch
Type: text/x-patch
Size: 4182 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160726/a0aa4295/attachment.bin>
More information about the Freeipa-devel
mailing list