Alexander Bokovoy wrote:
On Чцв, 14 ліс 2024, Magnus Sandberg via FreeIPA-users wrote:
Hi, This is a rather late reply but I'm now to RedHat IdM. Would it be possible to have a kdcpolicy plugin that only allow admin tokens issued on machines that are listed in some allow list? I guess the list could even by dynamic as I also would like to limit it to the IdM servers them selves.
It is possible to write a KDC policy plugin but I don't think it will help. Kerberos tickets have concept of adressfulness but it is not used in real life due to NATs and other factors. See, for example, very recent discussion upstream where MIT Kerberos upstream maintainer explains it: https://github.com/krb5/krb5/pull/1359#issuecomment-2472625591
Addressful tickets are rarely used. When they are used, the AS client decides what addresses get stored in the ticket. The ticket is then restricted to use from one of the listed addresses. In our client implementation (e.g. if you do "kinit -a"), we construct a list of the local interface IP addresses and asks for those.
So if you want to make decision based on the addresses client has provided in the list, you are already in a pretty bad situation as you have to trust that information. What if an attacker knows that you will only be issuing 'admin' tickets on IPA servers? They'd simply fabricate their AS-REQ packet with corresponding addresses. A better approach would be to switch admin accounts to use passwordless authentication methods, with factors that cannot be easily get access to by attackers: smartcards or FIDO2 passkeys, for example.
Thanks for your reply. I'm not familiar with the krb source code and what's going on internally but I think I got some understanding about the ongoing work from the link you provided.
My usecase it to "help" my fellow IdM admins to not manage the IdM from the wrong machine. Our policy states that you should manage the IdM locally via dedicated jumphosts. But when you're in a hurry to fix a problem it may be easy to do "kinit admin" and use the relevant ipa commands from some host just to fix the problem, and that wouldn't be okay. As this is for internal use in our own networks, we don't have NAT between our networks. And the main goal is not to protect against an attacker.
Regards, // mem