[Freeipa-users] Actions for a stolen/compromised IPA Client

Paessens, Daniel daniel.paessens at hpe.com
Wed Nov 16 09:57:34 UTC 2016 

Indeed the kinit keeps working correctly.
If you give a good password it retrieves the tokens correctly.
Thus it's not only DOS, but also an potentional brutal password retriever as well.
Blocking on firewall level,ok, but what if you use DHCP. It's more difficult to protect it, through that way.

Daniel

-----Original Message-----
From: Martin Babinsky [mailto:mbabinsk at redhat.com] 
Sent: Wednesday, November 16, 2016 10:30 AM
To: Paessens, Daniel <daniel.paessens at hpe.com>; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Actions for a stolen/compromised IPA Client

On 11/16/2016 10:04 AM, Paessens, Daniel wrote:
> Currently am I looking for a workable solution for the following situation:
>     Let's say that an ipa client has been stolen (or compromised). 
> What can we do to block all access from it, towards IPA (and rest)
>     For example if we use the command "ipa host-disable" it's noticed 
> that IPA users are no longer able to login into the system. But if you 
> log into the system as root. Then you can still run (successfully) the 
> command kinit, and optain a ticket for it.
>     Even if you delete the host from the directory, the behavior 
> remains the same.
>     Can this anyhow be blocked.
>     Regards,
>     Daniel
>
>
>

Hi Daniel,

host-disable removes the host kerberos keys and certificates from LDAP as you correctly observer. This means that all services on the compromised host stop working. SSSD will also stop working since it uses the now invalid host keytab to perform user lookup, that's why ssh'ing to host as IPA user stops working.

However, there is nothing preventing the attacker to try to kinit as admin directly without sssd on the machine, which can potentialy lead to DoS attack on the admin user. So if you realize that the host was compromised it is best to first run hist-disable and then block all traffic from that host on ports 88 tcp/udp (Kerberos), 464 tcp/udp (kadmin), 749 tcp/udp (kpasswd IIRC) and LDAP(S) ports (389, 636 tcp).

--
Martin^3 Babinsky

More information about the Freeipa-users mailing list