On Чцв, 14 ліс 2024, Magnus Sandberg via FreeIPA-users wrote:
Hi,
This is a rather late reply but I'm now to RedHat IdM.
Would it be possible to have a kdcpolicy plugin that only allow admin tokens issued on machines that are listed in some allow list? I guess the list could even by dynamic as I also would like to limit it to the IdM servers them selves.
It is possible to write a KDC policy plugin but I don't think it will help. Kerberos tickets have concept of adressfulness but it is not used in real life due to NATs and other factors.
See, for example, very recent discussion upstream where MIT Kerberos upstream maintainer explains it: https://github.com/krb5/krb5/pull/1359#issuecomment-2472625591 -------- Addressful tickets are rarely used. When they are used, the AS client decides what addresses get stored in the ticket. The ticket is then restricted to use from one of the listed addresses. In our client implementation (e.g. if you do "kinit -a"), we construct a list of the local interface IP addresses and asks for those. ---------
So if you want to make decision based on the addresses client has provided in the list, you are already in a pretty bad situation as you have to trust that information. What if an attacker knows that you will only be issuing 'admin' tickets on IPA servers? They'd simply fabricate their AS-REQ packet with corresponding addresses.
A better approach would be to switch admin accounts to use passwordless authentication methods, with factors that cannot be easily get access to by attackers: smartcards or FIDO2 passkeys, for example.
I guess that it would require some C programming but maybe not that hard to do.
Regards, // mem -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue