If pkinit is configured anonymous tickets can be obtained. To avoid impacting badly written applications that consider successful authentication also implicit authorization, by default restrict anonymous ticket to only be able to the TGTs. This is sufficient to make FAST working with pkinit but will block any other usage unless the admin explicitly decides to allow it by changing the kdc.conf file.
Ticket #432 Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 742e8f93a4626457372716c39acaea424a4fb191 Mon Sep 17 00:00:00 2001 From: Simo Sorce <sso...@redhat.com> Date: Wed, 12 Jan 2011 16:43:00 -0500 Subject: [PATCH] Restrict anonymous tgts Fixes: https://fedorahosted.org/freeipa/ticket/432 --- install/share/kdc.conf.template | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index f8e07c77bdbffe3d73baf016aae1b9733adb7390..02f1dc11167d357fdd1ba3097de34f4db308d2a6 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -1,6 +1,7 @@ [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 + restrict_anonymous_to_tgt = true [realms] $REALM = { -- 1.7.3.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel