[Freeipa-users] minimise impact compromised host
Stijn De Weirdt
stijn.deweirdt at ugent.be
Wed Nov 16 13:01:09 UTC 2016
hi all,
we are looking how to configure whatever relevant policy to minimise the
impact of compromised IPA hosts (ie servers with a valid host keytab).
in particular, it looks like it possible to retrieve any user token once
you have access to a valid host keytab.
we're aware that the default IPA policies are wide open, but we are
looking how to limit this. for us, there's no need that a hostkeytab can
retrieve tokens for anything except the services on that host.
stijn
More information about the Freeipa-users
mailing list