[Freeipa-users] minimise impact compromised host
Martin Babinsky
mbabinsk at redhat.com
Wed Nov 16 13:41:34 UTC 2016
On 11/16/2016 02:33 PM, Petr Spacek wrote:
> On 16.11.2016 14:01, Stijn De Weirdt wrote:
>> hi all,
>>
>> we are looking how to configure whatever relevant policy to minimise the
>> impact of compromised IPA hosts (ie servers with a valid host keytab).
>>
>> in particular, it looks like it possible to retrieve any user token once
>> you have access to a valid host keytab.
>>
>> we're aware that the default IPA policies are wide open, but we are
>> looking how to limit this. for us, there's no need that a hostkeytab can
>> retrieve tokens for anything except the services on that host.
>
> What "token" do you have in mind?
>
We discussed this in another thread.
In the case that the host is compromised/stolen/hijacked, you can
host-disable it to invalidate the keytab stored there but this does not
prevent anyone logged on that host to bruteforce/DOS user accounts by
trying to guess their Kerberos keys by repeated kinit.
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list