[Bug 1791325] Re: freeipa server needs read access /var/lib/krb5kdc

[Timo Aaltonen]

*** This bug is a duplicate of bug 1772447 ***
https://bugs.launchpad.net/bugs/1772447

This has already been fixed on freeipa git to use another path for these
(/var/lib/ipa/certs/)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1791325

Title:
  freeipa server needs read access /var/lib/krb5kdc

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1791325/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1791325] Re: freeipa server needs read access /var/lib/krb5kdc

[Sam Hartman]

*** This bug is a duplicate of bug 1772447 ***
https://bugs.launchpad.net/bugs/1772447

I agree with Russ.
On the Debian side, I would not support a change to krb5-kdc to make
/var/lib/krb5kdc world readable.
I think putting the public cert in /etc/krb5kdc is fine: I can make a
case it's configuration not state.
If you don't like that, place it somewhere else under /var/lib.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1791325

Title:
  freeipa server needs read access /var/lib/krb5kdc

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1791325/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1791325] Re: freeipa server needs read access /var/lib/krb5kdc

[Russ Allbery]

*** This bug is a duplicate of bug 1772447 ***
https://bugs.launchpad.net/bugs/1772447

keestux  writes:

> That anonymous PKINIT is required right now to enable two-factor
> authentication login to web UI because since FreeIPA 4.5 we cannot use
> HTTP service keytab anymore: FreeIPA framework lost access to the keytab
> due to privilege separation work we did (read
> https://vda.li/en/docs/freeipa-debug-privsep/ for details)

> Since your KDC PKINIT certificate might be issued by a local self-signed
> certmonger 'CA' in case you are not using integrated FreeIPA CA, we have
> to be able to trust *that* public KDC certificate when running 'kinit
> -n', thus we need access to it. "

> He also suggested that this should be changed in Ubuntu. If the directory
> /var/lib/krb5kdc becomes readable (perhaps chmod 711) then it would solve
> this issue.

It seems rather ironic that privilege separation leads to a request to
grant FreeIPA access to (admittedly only the directory of) the single most
sensitive and security-critical component of the entire Kerberos
infrastructure.

I think there should be some other way of solving this.  The public KDC
certificate is, well, public, so maybe don't put it in /var/lib/krb5kdc,
which is not?  (I always put mine in /etc/krb5kdc.)

-- 
Russ Allbery (r...@debian.org)   

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1791325

Title:
  freeipa server needs read access /var/lib/krb5kdc

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1791325/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1791325] Re: freeipa server needs read access /var/lib/krb5kdc

[Timo Aaltonen]

*** This bug is a duplicate of bug 1772447 ***
https://bugs.launchpad.net/bugs/1772447

** This bug has been marked a duplicate of bug 1772447
   freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1791325

Title:
  freeipa server needs read access /var/lib/krb5kdc

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1791325/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1791325] Re: freeipa server needs read access /var/lib/krb5kdc

[keestux]

There was a discussion on the freeipa users list and Alexander Bokovoy was
kind enough to explain what was happening.

"We need access to the KDC's public certificate in case we are dealing
with a KDC certificate issued by a local certmonger (self-signed) which
is not trusted by the machine.

You can read https://www.freeipa.org/page/V4/Kerberos_PKINIT for
details. A short version is:

When you install 4.5 with --no-pkinit, the installer will generate
self-signed certificate for PKINIT. This certificate is only used and
trusted by IPA Web UI running on the same server to obtain an anonymous
ticket.


That anonymous PKINIT is required right now to enable two-factor
authentication login to web UI because since FreeIPA 4.5 we cannot use
HTTP service keytab anymore: FreeIPA framework lost access to the keytab
due to privilege separation work we did (read
https://vda.li/en/docs/freeipa-debug-privsep/ for details)

Since your KDC PKINIT certificate might be issued by a local self-signed
certmonger 'CA' in case you are not using integrated FreeIPA CA, we have
to be able to trust *that* public KDC certificate when running 'kinit
-n', thus we need access to it. "

He also suggested that this should be changed in Ubuntu. If the directory
/var/lib/krb5kdc becomes readable (perhaps chmod 711) then it would solve
this issue.

The directory /var/lib/krb5kdc is part of the package krb5-kdc.

** Also affects: krb5 (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1791325

Title:
  freeipa server needs read access /var/lib/krb5kdc

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1791325/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs