[Freeipa-users] Dovecot imap authentication with IPA/Kerberos
Ondrej Valousek
ondrejv at s3group.cz
Tue Jan 31 12:58:31 UTC 2012
> I fail to see why non-root processes should be trying to
> read /etc/krb5.keytab at all. You should be generating a per-service
> keytab with only the keys necessary for that service to authenticate
> itself to the KDC. So you might have /etc/dovecot/dovecot.keytab which
> is readable only by the dovecot user.
>
> The problem with allowing access to /etc/krb5.keytab is that it means
> that an exploit in another process (especially a mail server!) could
> gain access to the keys necessary to impersonate your host in kerberized
> applications on the network. That's really dangerous.
Right, but that's exactly what is happening with kerberized BIND, right? As far as I understand, you need to chown /etc/krb5.keytab to
'named' first.
In general, you are probably right, the only problem is that most of the Linux kerberized services expect krb5.keytab in /etc.
Moreover, in situation where winbind (or later maybe even sssd, for example) maintains the system Kerberos database, we would need some
means to tell him to maintain more database files on multiple locations - and that is too messy.
Maybe a time to introduce some simple database layer on the top of the /etc/krb5.keytab which would handle the permissions correctly?
Applications/services would need to talk to this layer and not krb5.keytab directly.
Ondrej
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award.
--------
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications at s3group.com.
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120131/cdae4a31/attachment.htm>
More information about the Freeipa-users
mailing list