[Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs
Simo Sorce
simo at redhat.com
Mon Jun 16 13:34:50 UTC 2014
On Mon, 2014-06-16 at 09:53 +0200, Petr Viktorin wrote:
> On 06/13/2014 10:20 PM, Simo Sorce wrote:
> [...]
> > 2) and I think this is a MUCH bigger issue, the Admin users are
> > unbounded and pass any Access Control Check and this means they can now
> > retrieve any key for users or machines.
> > It is already bad enough that admins can unconditionally set any key,
> > but this at least leaves back a pretty big trail (the original client
> > password/key fails to work), and is a necessary evil (password resets,
> > hosts creation/recovery).
> > But I am not very comfortable with the idea an admin can retrieve any
> > key without actually ending up changing it. Petr do we have any short
> > term plan to address the Admin's super ACI ?
>
> No, nothing in the short term.
Ok, then I think attached is the patch 0003 we want.
This changes admins superpowers to not allow ipaProtectedOperation by
default and instead adds a specific right in cn=accounts so admin can
keep fetching keytabs for any principal. We may want to turn this into a
permission with a future patch.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-keytab-Add-new-extended-operation-to-get-a-keytab.patch
Type: text/x-patch
Size: 32176 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140616/7a34d74d/attachment.bin>
More information about the Freeipa-devel
mailing list