[16623] in Kerberos-V5-bugs
[krbdev.mit.edu #8949] Provide Means to Prevent a User Changing its
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Wed Sep 16 18:37:41 2020
From: "Greg Hudson via RT" <rt@krbdev.mit.edu>
In-Reply-To: <6431e77f71529406c93d3ee64caf1a15e6b4f561.camel@aegee.org>
Message-ID: <rt-4.4.4-12646-1600295838-3.8949-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8949":;
Date: Wed, 16 Sep 2020 18:37:18 -0400
MIME-Version: 1.0
Reply-To: rt@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8949 >
Note that every user of the demo account will be able to decrypt every other
users' communications, unless SPAKE preauth is used (and even then an MITM
attack is likely possible).
I believe this use case is currently possible in three suboptimal ways, the
first of which is probably easiest:
1. Set a long min_life on the principal.
2. Provide a password quality plugin module which always fails the quality
check for this principal.
3. Disable the "self" kadm5_auth module, and instead provide a new module which
enables self-service for every principal but this one.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
