[Freeipa-users] Can freeIPA work without Kerberos and DNS

Tue Mar 31 06:48:50 UTC 2015

On 30.3.2015 14:58, Gokulnath wrote:
> Thanks for the update.
> 
> The reason for weigh in the Kerberos option is to have that as an option to disable if needed, security is more important. I had to say this because there was a question on "why I would disable it".

I would argue that by using plain LDAP with user+password combination or
certificate-based login (private key) you are actually making things worse for
scenarios where attacker can have access to memory from time to time.

Password and private key are long-term secrets, i.e. are highly sensitive and
in described case used for every authentication.

In case of Kerberos, long-term secret is used only once to obtain session key
(TGT or other ticket) and this session key has limited lifetime so stolen
session key gives the attacker access only for a limited time.

Anyway, this is just an academic discussion. Do not use cloud services if you
are worried about this kind of attacks.

Petr^2 Spacek

> 
> I agree that the otp should definitely provide some additional layer of security. 
> 
> Let me test and reply back.
> 
> Thanks again.
> 
> Gokul
> 
> Sent from iPhone
> 
>> On Mar 30, 2015, at 7:48 AM, Dmitri Pal <dpal at redhat.com> wrote:
>>
>>> On 03/29/2015 10:27 PM, Gokulnath wrote:
>>> Thanks for getting back.
>>>
>>> 1. As security Kerberos can ticket and in memory can be taken and that session key
>>> Can be used to gain access every where. Primarily this because the plan is to use the solution in cloud.
>>
>> You can use Kerberos in the cloud. It is not worse of better than certs.
>> If you can read memory of a machine you can (potentially) read its keys.
>> But this is the general risk that you take going into the cloud regardless whether you use PKI or Kerberos.
>>
>> In general you do not want to store long term keys in the images but rather add them on the fly when the system is instantiated.
>> The ipa-client-install with OTP registration code provides this capability.
>>
>> It seems that you are trying to overcomplicate things with no obvious reason.
>> If you need help with picking a better approach lest us know what exactly you are trying to accomplish.
>>
>>>
>>> 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key rotation and pki ?
>>>
>>> 3. As during the install, DNS and Kerberos are getting installed and configured.
>>>
>>> I would really appreciate if you can get back.
>>>
>>> Thank you
>>> Gokul
>>> Sent from iPhone
>>>
>>>>> On Mar 29, 2015, at 8:44 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>>>
>>>>> On 03/29/2015 11:50 AM, Gokul wrote:
>>>>> Hi,
>>>>>
>>>>> I am tried to run some of my user cases with FreeIPA.
>>>>>
>>>>> Have FreeIPA to do only SSH key management in LDAP and PKI management.
>>>>>
>>>>> The understand that every request is kerberized and it has the DNS is must configuration.
>>>>>
>>>>> Can I have FreeIPA to run only SSH Key management with LDAP and a PKI server with dogtag?
>>>>>
>>>>> Thank you
>>>>> Gokul
>>>> You can't turn off Kerberos. You would need Kerberos for administration.
>>>> But other clients can take advantage of LDAP and SSH only.
>>>> However you are significantly limiting your functionality and capabilities.
>>>> Kerberos is really the key of the solution.
>>>>
>>>> What is the reason you try to avoid using it?