[Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs
Rob Crittenden
rcritten at redhat.com
Mon Jun 9 17:39:44 UTC 2014
Simo Sorce wrote:
> This patch set is an initial implementation of ticket #3859
>
> It seem to be working fine in my initial testing but I have not yet
> tested all cases.
>
> However I wonted to throw it on the list to get some initial feedback
> about the choices I made wrt access control and ipa-getkeytab flags and
> default behavior.
>
> In particular, the current patch set would require us to make
> host/service keytabs readable by the requesting party (whoever that is,
> admin or host itself) in order to allow it to get back the actual
> keytab. I am not sure this is ideal. Also write access to the keytab is
> still all is needed to allow someone to change it.
>
> Neither is ideal, but it was simpler as a first implementation. In
> particular I think we should allow either permission indipendently, and
> it should be something an admin can change. However I do not like
> allowing normal writes or reads to these attributes, mostly because w/o
> access to the master key nobody can really make sense of actually
> reading out the contents of KrbPrincipalKey or could write a blob that
> can be successfully decrypted.
>
> So I was wondering if we might want to prevent both reading and writing
> via LDAP (except via extended operations) and instead use another method
> to determine access patterns.
>
> As for ipa-getkeytab is everyone ok with tryin the new method first and
> always falling back to the old one (if a password has been provided) ?
0001
Needs a rebase. I did my best for testing.
In check_service_name() why not just initialize name to NULL rather than
assigning it twice? Or is the value of name undefined if krb5_* fails?
get_realm_backend() should probably have a comment on why returning NULL
is ok (either because there is no sdn or because there is no be). It
appears that things will eventually fail in get_entry_by_principal()
I think the Access Strategy comment needs to be expanded (or dropped) in
is_allowed_to_access_keys()
In the fatal error in is_allowed_to_access_keys() should the error
include the bound user and the resource they attempted to modify?
0002
ACK
0003
Nit: typo in commit, extedned
I'd prefer unique error messages for each ber decode failure.
Why is write access always required in ipapwd_getkeytab()? Would there
be a case where a principal can only re-fetch existing keys?
Since getnew is defined as a boolean in the ASN.1, is the conditional
if (getnew == 0)
preferred over just
if (getnew)?
Some errors read "Out of Memory" and others "allocation failed". I think
with a fatal error the line number is included in the error. If I'm
wrong then perhaps something specific to the allocation should be included.
The error message to the call ber_decode_krb5_key_data() doesn't seem to
match.
0004
More duplicated error messages, e.g. Missing reply control
0005
More duplicated error messages, Failed to parse key data
Typo, Incopatible
Functionality-wise.
Retrieving a keytab from a service without one fails in a strange way:
# ipa-getkeytab -r -s `hostname` -p test1/`hostname` -k /tmp/test.kt
Operation failed! Insufficient access rights
Failed to get keytab
I suppose a new permission is needed to add the ability to re-fetch
keytabs. Should the admins group be able to do this out-of-the box?
Maybe this is ok, I don't know, but it looks wierd. I fetched with -r
the same keytab a number of times and this is what it contains:
# klist -kt /tmp/test.kt
Keytab name: FILE:/tmp/test.kt
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
1 06/09/2014 13:35:50 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:35:50 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:35:50 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:35:50 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:35:53 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:35:53 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:35:53 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:35:53 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:36:00 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:36:00 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:36:00 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:36:00 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:36:45 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:36:45 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:36:45 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:36:45 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:36:51 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:36:51 test1/grindle.example.com at EXAMPLE.COM
1 06/09/2014 13:36:51 test1/grindle.example.com at EXAMPLE.COM
The krbPrincipalKey value remained constant.
rob
More information about the Freeipa-devel
mailing list