A flaw was found that allows any unauthenticated party to easily run DoS attack against kerberized services in FreeIPA/IdM realm. FreeIPA contains MIT KDC as its main component + FreeIPA is using custom database driver for the KDC. As a side-effect of implementation, FreeIPA is enforcing password policies for all principals, including services which do not use "password" but keytab with randomly-generated/strong key. Default password policy locks an account after 5 unsuccessful authentication attempts for 10 minutes. An attacker can use this to simply lock-out any principal, including system services. Upstream patch : https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=6f1d927467e7907fd1991f88388d96c67c9bff61 Additional dependency : https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=73f33569c8893610e246b2f44a7aeaec872b37e6
Acknowledgments: Name: Petr Spacek (Red Hat)
Created freeipa tracking bugs for this issue: Affects: fedora-all [bug 1404690]
Comment on attachment 1230758 [details] Patch obsoleting patch : see description for list of upstream patches
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:0001 https://rhn.redhat.com/errata/RHSA-2017-0001.html