[Freeipa-devel] Design Review Keytab Retrieval
Nathaniel McCallum
npmccallum at redhat.com
Fri Jun 20 18:05:38 UTC 2014
On Mon, 2014-06-16 at 11:34 -0400, Simo Sorce wrote:
> Although the code is all done it would be nice to have a review of the
> feature, to see if it has all been captured:
> http://www.freeipa.org/page/V4/Keytab_Retrieval
I'm a bit confused about the behavior of enctypes in the Request.
"A list of enctypes is always necessary in input when a new keytab is
requested. However the list is filtered though the allowable enctypes
list and if nothing is left the operation is refused."
+1. However, the generated keys should be the set of allowed enctypes,
not the intersection between allowed and requested enctypes. This would
permit the later requesting of enctypes that were allowed at the time of
creation, but not requested.
"If the getNew attribute is false, then the existing key is being
requested. In this case password and enctypes MUST NOT be set."
I don't get this. Shouldn't the return value of this request include
only the intersection between allowed and requested enctypes? There is
no point in responding with enctypes the client has not requested. And
indeed, this provides extra data points to attack.
Having this proposed behavior also means you can remove OPTIONAL from
enctypes.
So as it stands, enctypes currently controls what keys are generated. I
would prefer that enctypes controls what keys are returned. Am I missing
something?
Nathaniel
More information about the Freeipa-devel
mailing list