[Freeipa-users] minimise impact compromised host
Petr Spacek
pspacek at redhat.com
Wed Nov 16 13:33:17 UTC 2016
On 16.11.2016 14:01, Stijn De Weirdt wrote:
> hi all,
>
> we are looking how to configure whatever relevant policy to minimise the
> impact of compromised IPA hosts (ie servers with a valid host keytab).
>
> in particular, it looks like it possible to retrieve any user token once
> you have access to a valid host keytab.
>
> we're aware that the default IPA policies are wide open, but we are
> looking how to limit this. for us, there's no need that a hostkeytab can
> retrieve tokens for anything except the services on that host.
What "token" do you have in mind?
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list