Re: [Freeipa-devel] [PATCH] restrict setkeytab operation

2016-10-26 Thread Martin Basti 



On 31.08.2016 14:36, Martin Basti wrote:




On 26.07.2016 13:38, Simo Sorce wrote:

On Mon, 2016-07-25 at 11:26 -0400, Simo Sorce wrote:

On Mon, 2016-07-25 at 11:10 -0400, Rob Crittenden wrote:

Simo Sorce wrote:

On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:

Simo Sorce wrote:

As described in #232 start restricting the use of the setkeytab
operation to just the computers objects.

I haven't tested this with older RHEL/CentOS machines that actully use
the setkeytab operation as I do not have such an old VM handy right now.

Meanwhile I'd like to know if ppl agree with this approach.

What about services?

Do we automatically acquire keytab for services in the old clients ?

Are you thinking about scripted ipa-getkytab callouts ?

You are limiting access to host keytabs, what about service keytabs?
Should they be or are they now similarly restricted?

Installers for something like Foreman may try to generate a service
keytab in its installer, probably using admin credentials. I am planning
to do the same in Openstack.

Ok I'll amend the patch to allow service keytabs to still use the
setkeytab control still, and restrict only users.
However note that the idea of using this method is that admin can change
this default on their own, so they can restrict more or less if they
want, to that end I need to remember how to set a default that we do not
override in the update file.

Simo.


Amended patch to allow services too.
Only users are excluded.

Simo.





bump for review



bump for review
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] restrict setkeytab operation

2016-08-31 Thread Martin Basti 



On 26.07.2016 13:38, Simo Sorce wrote:

On Mon, 2016-07-25 at 11:26 -0400, Simo Sorce wrote:

On Mon, 2016-07-25 at 11:10 -0400, Rob Crittenden wrote:

Simo Sorce wrote:

On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:

Simo Sorce wrote:

As described in #232 start restricting the use of the setkeytab
operation to just the computers objects.

I haven't tested this with older RHEL/CentOS machines that actully use
the setkeytab operation as I do not have such an old VM handy right now.

Meanwhile I'd like to know if ppl agree with this approach.

What about services?

Do we automatically acquire keytab for services in the old clients ?

Are you thinking about scripted ipa-getkytab callouts ?

You are limiting access to host keytabs, what about service keytabs?
Should they be or are they now similarly restricted?

Installers for something like Foreman may try to generate a service
keytab in its installer, probably using admin credentials. I am planning
to do the same in Openstack.

Ok I'll amend the patch to allow service keytabs to still use the
setkeytab control still, and restrict only users.
However note that the idea of using this method is that admin can change
this default on their own, so they can restrict more or less if they
want, to that end I need to remember how to set a default that we do not
override in the update file.

Simo.


Amended patch to allow services too.
Only users are excluded.

Simo.





bump for review
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] restrict setkeytab operation

2016-07-26 Thread Simo Sorce 
On Mon, 2016-07-25 at 11:26 -0400, Simo Sorce wrote:
> On Mon, 2016-07-25 at 11:10 -0400, Rob Crittenden wrote:
> > Simo Sorce wrote:
> > > On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:
> > >> Simo Sorce wrote:
> > >>> As described in #232 start restricting the use of the setkeytab
> > >>> operation to just the computers objects.
> > >>>
> > >>> I haven't tested this with older RHEL/CentOS machines that actully use
> > >>> the setkeytab operation as I do not have such an old VM handy right now.
> > >>>
> > >>> Meanwhile I'd like to know if ppl agree with this approach.
> > >>
> > >> What about services?
> > >
> > > Do we automatically acquire keytab for services in the old clients ?
> > >
> > > Are you thinking about scripted ipa-getkytab callouts ?
> > 
> > You are limiting access to host keytabs, what about service keytabs? 
> > Should they be or are they now similarly restricted?
> > 
> > Installers for something like Foreman may try to generate a service 
> > keytab in its installer, probably using admin credentials. I am planning 
> > to do the same in Openstack.
> 
> Ok I'll amend the patch to allow service keytabs to still use the
> setkeytab control still, and restrict only users.
> However note that the idea of using this method is that admin can change
> this default on their own, so they can restrict more or less if they
> want, to that end I need to remember how to set a default that we do not
> override in the update file.
> 
> Simo.
> 
Amended patch to allow services too.
Only users are excluded.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From e91403837f1ca679898030591f3fcc64f9378b98 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 25 Jul 2016 06:46:24 -0400
Subject: [PATCH] Restrict the old setkeytab operation

Allow it only to set computers/services keys by default. This is to allow
older clients to join a newer IPA Server and manage their service. But at
the same time prevent users from bypassing password policies by using this
old broken interface.

Ticket: https://fedorahosted.org/freeipa/ticket/232

Signed-off-by: Simo Sorce 
---
 daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 13 -
 install/updates/20-aci.update   |  4 
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 3c2c44f6198bf74615fff1ae231a48bed77526ee..48880cdb74d2d12f016905c151f8fa9ad36c6d8a 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -1171,6 +1171,8 @@ done:
 return rc;
 }
 
+#define SETKEYS_OP_CHECK "ipaProtectedOperation;set_keys"
+
 /* Password Modify Extended operation plugin function */
 static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
 {
@@ -1238,15 +1240,24 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
 goto free_and_return;
 }
 
-/* Accesseck strategy:
+/* Access check strategy:
  * If the user has WRITE access, a new keytab can be set on the entry.
  * If not, then we fail immediately with insufficient access. This
  * means that we don't leak any useful information to the client such
  * as current password wrong, etc.
+ *
+ * In addition to the historic check, we now also check if the setkeytab
+ * operation is allowed at all.
  */
 allowed_access = is_allowed_to_access_attr(pb, bindDN, targetEntry,
"krbPrincipalKey", NULL,
SLAPI_ACL_WRITE);
+if (allowed_access) {
+/* check if we are allowed to *set* keys */
+allowed_access = is_allowed_to_access_attr(pb, bindDN, targetEntry,
+   SETKEYS_OP_CHECK, NULL,
+   SLAPI_ACL_WRITE);
+}
 if (!allowed_access) {
 LOG_FATAL("Access not allowed to set keytab on [%s]!\n",
   serviceName);
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index e9c10f54aadf5062c5a03f0d4b36343079462919..b12018004d6dfc51aabd5d6a006ee62660914dd6 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -113,6 +113,10 @@ add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Group
 add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self;;)
 add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)
 add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version

Re: [Freeipa-devel] [PATCH] restrict setkeytab operation

2016-07-25 Thread Simo Sorce 
On Mon, 2016-07-25 at 11:10 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:
> >> Simo Sorce wrote:
> >>> As described in #232 start restricting the use of the setkeytab
> >>> operation to just the computers objects.
> >>>
> >>> I haven't tested this with older RHEL/CentOS machines that actully use
> >>> the setkeytab operation as I do not have such an old VM handy right now.
> >>>
> >>> Meanwhile I'd like to know if ppl agree with this approach.
> >>
> >> What about services?
> >
> > Do we automatically acquire keytab for services in the old clients ?
> >
> > Are you thinking about scripted ipa-getkytab callouts ?
> 
> You are limiting access to host keytabs, what about service keytabs? 
> Should they be or are they now similarly restricted?
> 
> Installers for something like Foreman may try to generate a service 
> keytab in its installer, probably using admin credentials. I am planning 
> to do the same in Openstack.

Ok I'll amend the patch to allow service keytabs to still use the
setkeytab control still, and restrict only users.
However note that the idea of using this method is that admin can change
this default on their own, so they can restrict more or less if they
want, to that end I need to remember how to set a default that we do not
override in the update file.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] restrict setkeytab operation

2016-07-25 Thread Rob Crittenden 

Simo Sorce wrote:

On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:

Simo Sorce wrote:

As described in #232 start restricting the use of the setkeytab
operation to just the computers objects.

I haven't tested this with older RHEL/CentOS machines that actully use
the setkeytab operation as I do not have such an old VM handy right now.

Meanwhile I'd like to know if ppl agree with this approach.


What about services?


Do we automatically acquire keytab for services in the old clients ?

Are you thinking about scripted ipa-getkytab callouts ?


You are limiting access to host keytabs, what about service keytabs? 
Should they be or are they now similarly restricted?


Installers for something like Foreman may try to generate a service 
keytab in its installer, probably using admin credentials. I am planning 
to do the same in Openstack.


rob

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] restrict setkeytab operation

2016-07-25 Thread Alexander Bokovoy 

On Mon, 25 Jul 2016, Simo Sorce wrote:

On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:

Simo Sorce wrote:
> As described in #232 start restricting the use of the setkeytab
> operation to just the computers objects.
>
> I haven't tested this with older RHEL/CentOS machines that actully use
> the setkeytab operation as I do not have such an old VM handy right now.
>
> Meanwhile I'd like to know if ppl agree with this approach.

What about services?


Do we automatically acquire keytab for services in the old clients ?

Are you thinking about scripted ipa-getkytab callouts ?

There are people still using ipa 3.0 clients and scripting around it,
both with RHEL 6.x and CentOS 6.x. I wouldn't break those on purpose.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] restrict setkeytab operation

2016-07-25 Thread Simo Sorce 
On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > As described in #232 start restricting the use of the setkeytab
> > operation to just the computers objects.
> >
> > I haven't tested this with older RHEL/CentOS machines that actully use
> > the setkeytab operation as I do not have such an old VM handy right now.
> >
> > Meanwhile I'd like to know if ppl agree with this approach.
> 
> What about services?

Do we automatically acquire keytab for services in the old clients ?

Are you thinking about scripted ipa-getkytab callouts ?

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] restrict setkeytab operation

2016-07-25 Thread Rob Crittenden 

Simo Sorce wrote:

As described in #232 start restricting the use of the setkeytab
operation to just the computers objects.

I haven't tested this with older RHEL/CentOS machines that actully use
the setkeytab operation as I do not have such an old VM handy right now.

Meanwhile I'd like to know if ppl agree with this approach.


What about services?

rob

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code