[Freeipa-users] minimise impact compromised host
Stijn De Weirdt
stijn.deweirdt at ugent.be
Wed Nov 16 14:33:05 UTC 2016
hi martin,
>>> we are looking how to configure whatever relevant policy to minimise the
>>> impact of compromised IPA hosts (ie servers with a valid host keytab).
>>>
>>> in particular, it looks like it possible to retrieve any user token once
>>> you have access to a valid host keytab.
>>>
>>> we're aware that the default IPA policies are wide open, but we are
>>> looking how to limit this. for us, there's no need that a hostkeytab can
>>> retrieve tokens for anything except the services on that host.
>>
>> What "token" do you have in mind?
>>
> We discussed this in another thread.
this is a different question: what can we do such that compromised host
can do a little as possible if the admin doesn't (yet) know the host is
compromised.
the default policy allows way too much.
how to clean it up once you know the host is compromised is the subject
of the other thread.
stijn
>
> In the case that the host is compromised/stolen/hijacked, you can
> host-disable it to invalidate the keytab stored there but this does not
> prevent anyone logged on that host to bruteforce/DOS user accounts by
> trying to guess their Kerberos keys by repeated kinit.
>
More information about the Freeipa-users
mailing list