[Freeipa-devel] Func and kerberos

[Karl MacMillan]

So func looks interesting and I wanted to ask a few questions about
potential integration w/ LDAP and kerberos (and freeipa.org).

* Any chance you would be interested in supporting kerberos in addition
to certificates? The main advantage here is that you would be able to
authenticate specific users or services on other systems more easily.

* For later versions of freeipa we plan to do machine identity. With
that you would have a list of machines stored in ldap, groupings of
those machines, and already have certs / kerberos principals to identify
those machines. It would also enable you to obtain additional certs /
principals for the func service securely.

Speaking of which, it looks like you currently have clients
automatically obtain certificates from the master server without
authenticating the master server in any way. This seems like a security
hole. Basically - if a rogue master server can spoof the master on the
network (which would be easy) I can intercept registration requests,
issue a cert, and fully control all of the other systems. It could even
communicate with the real master and become a man-in-the-middle.

There are a number of solutions to this, obviously, but freeipa will
hopefully provide some in the future.

* Another security concern - is the funcd on the clients trusted to
perform all of the actions? This will make it a huge target for attacks.
Could you instead exec helper applications? This would also allow you to
run the helper applications with lower privileges - either in an
specific selinux context, have it drop some capabilities before exec of
the script, or even as an unprivileged user.

Karl