[Freeipa-users] Can freeIPA work without Kerberos and DNS

Petr Spacek pspacek at redhat.com
Mon Mar 30 07:33:13 UTC 2015 

On 30.3.2015 09:28, Andrew Holway wrote:
> Hi,
> 
> As far as I understand it Kerberos service tickets are granted for a user
> to access a particular principle (host/service at REALM) and cannot be reused.
> Kerberos uses symmetric key cryptography so, if someone were able to access
> the memory of the machine, then they may indeed be able to snoop your user
> password although I am quite sure passwords are kept hashed in the Keytab.
> 
> If you are so worried that someone would go to the trouble hack the
> virtualisation layer and copy chunks of memory then you should really be
> reconsidering your use of cloud services. People hacking kerberos will be
> the least of your problems if you have data that is that sensitive on there.
> 
> If you could point me to some documentation on the specific attack you are
> trying to mitigate that would be nice.
> 
> Thanks,
> 
> Andrew
> 
> 
> On 30 March 2015 at 04:27, Gokulnath <gokulnathb at gmail.com> wrote:
> 
>> Thanks for getting back.
>>
>> 1. As security Kerberos can ticket and in memory can be taken and that
>> session key
>> Can be used to gain access every where. Primarily this because the plan is
>> to use the solution in cloud.
>>
>> 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key
>> rotation and pki ?
>>
>> 3. As during the install, DNS and Kerberos are getting installed and
>> configured.

Let me add that DNS server is an optional component and will not be installed
if you do not specify --setup-dns option. In that case you have to add
necessary DNS records by hand to make FreeIPA fully functional.

Petr^2 Spacek

>> I would really appreciate if you can get back.
>>
>> Thank you
>> Gokul
>> Sent from iPhone
>>
>>> On Mar 29, 2015, at 8:44 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>
>>>> On 03/29/2015 11:50 AM, Gokul wrote:
>>>> Hi,
>>>>
>>>> I am tried to run some of my user cases with FreeIPA.
>>>>
>>>> Have FreeIPA to do only SSH key management in LDAP and PKI management.
>>>>
>>>> The understand that every request is kerberized and it has the DNS is
>> must configuration.
>>>>
>>>> Can I have FreeIPA to run only SSH Key management with LDAP and a PKI
>> server with dogtag?
>>>>
>>>> Thank you
>>>> Gokul
>>> You can't turn off Kerberos. You would need Kerberos for administration.
>>> But other clients can take advantage of LDAP and SSH only.
>>> However you are significantly limiting your functionality and
>> capabilities.
>>> Kerberos is really the key of the solution.
>>>
>>> What is the reason you try to avoid using it?

More information about the Freeipa-users mailing list