[Freeipa-users] minimise impact compromised host
Rob Crittenden
rcritten at redhat.com
Wed Nov 16 16:55:14 UTC 2016
Stijn De Weirdt wrote:
>>> this is a different question: what can we do such that compromised host
>>> can do a little as possible if the admin doesn't (yet) know the host is
>>> compromised.
>>>
>>> the default policy allows way too much.
>>
>> For any useful advice we need more details.
>>
>> What are the operations you want to disable?
> at the very least, "kvno userlogin" should fail (i.e. access to a host
> keytab shouldn't permit retrieval of arbitrary user token).
>
> i'm assuming that retrieval of service tokens for another host is
> already not possible? (ie if you have keyatb of fqdn1, you shouldn't be
> able to retrieve a token for SERVICE/fqdn2 at REALM).
To be more precise you get a service ticket. I'm not sure what the
exposure is here.
rob
More information about the Freeipa-users
mailing list