[Freeipa-users] minimise impact compromised host
Stijn De Weirdt
stijn.deweirdt at ugent.be
Wed Nov 16 16:47:12 UTC 2016
>> this is a different question: what can we do such that compromised host
>> can do a little as possible if the admin doesn't (yet) know the host is
>> compromised.
>>
>> the default policy allows way too much.
>
> For any useful advice we need more details.
>
> What are the operations you want to disable?
at the very least, "kvno userlogin" should fail (i.e. access to a host
keytab shouldn't permit retrieval of arbitrary user token).
i'm assuming that retrieval of service tokens for another host is
already not possible? (ie if you have keyatb of fqdn1, you shouldn't be
able to retrieve a token for SERVICE/fqdn2 at REALM).
stijn
>
> Petr^2 Spacek
>
>
>>
>> how to clean it up once you know the host is compromised is the subject
>> of the other thread.
>>
>> stijn
>>
>>>
>>> In the case that the host is compromised/stolen/hijacked, you can
>>> host-disable it to invalidate the keytab stored there but this does not
>>> prevent anyone logged on that host to bruteforce/DOS user accounts by
>>> trying to guess their Kerberos keys by repeated kinit.
>>>
>>
>
>
More information about the Freeipa-users
mailing list