[Freeipa-users] minimise impact compromised host
Martin Babinsky
mbabinsk at redhat.com
Wed Nov 16 14:17:21 UTC 2016
On 11/16/2016 03:10 PM, Sumit Bose wrote:
> On Wed, Nov 16, 2016 at 02:41:34PM +0100, Martin Babinsky wrote:
>> On 11/16/2016 02:33 PM, Petr Spacek wrote:
>>> On 16.11.2016 14:01, Stijn De Weirdt wrote:
>>>> hi all,
>>>>
>>>> we are looking how to configure whatever relevant policy to minimise the
>>>> impact of compromised IPA hosts (ie servers with a valid host keytab).
>>>>
>>>> in particular, it looks like it possible to retrieve any user token once
>>>> you have access to a valid host keytab.
>>>>
>>>> we're aware that the default IPA policies are wide open, but we are
>>>> looking how to limit this. for us, there's no need that a hostkeytab can
>>>> retrieve tokens for anything except the services on that host.
>>>
>>> What "token" do you have in mind?
>>>
>> We discussed this in another thread.
>>
>> In the case that the host is compromised/stolen/hijacked, you can
>> host-disable it to invalidate the keytab stored there but this does not
>> prevent anyone logged on that host to bruteforce/DOS user accounts by trying
>> to guess their Kerberos keys by repeated kinit.
>
> But the password policy should at least mitigate this by blocking the
> account for some time after a number of wrong password are used.
>
> bye,
> Sumit
>
Yes after (by default 6 IIRC) failed attempts it should lock out the
account making brute-forcing the credentials highly impractical. It
will, however, prevent a legitimate authentication of that user against
the IPA master where the lockout is in place.
>>
>> --
>> Martin^3 Babinsky
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list