[Freeipa-users] IPA over the Internet - Security Implications

[Simo Sorce]

----- Original Message -----
> Hi,
> 
> Let us assume just the two systems directly connected to the
> internet.  I am specifically interested in what the security
> implications would be, not ways to get around them (e.g. point-to-
> point tunnel).  I have read that kerberos was designed for untrusted
> networks, just how untrusted can they be?

I would say that it reallyt depends on your threat model.
With recent versions of FreeIPa we disable by default using DES keys which were certainly not really secure anymore, given you can easily break DES encryption in a short enough period and without the need for expensive hardware these days. AES and RC4 which are the common ones used and even 3DES should be robust enough to allow to operate in safety, even if traffic is captured and rute force attacked, for the ticket validity period.

We also always enabled by default required preauthentication for all principals, which avoid attacks against TGT packets.

What you may want to do however is harden the LDAP server configuration a bit.
You probably want to prevent anonymous connections and also make sure all connections always are encrypted by setting the right minssf limits.

You need also to decide if you want to expose admin interfaces (kadmin, http) over the internet or only krb5/ldap.

Simo.