Bug 459037

Summary: the setkeytab extended operation may allow users to set a password ignoring password policies
Product: [Retired] freeIPA Reporter: Simo Sorce <ssorce>
Component: ipa-serverAssignee: Simo Sorce <ssorce>
Status: CLOSED DEFERRED QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: high    
Version: 1.0CC: dpal, jgalipea, mkosek, rcritten
Target Milestone: future release   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-21 12:31:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 431020    

Description Simo Sorce 2008-08-13 20:52:50 UTC 
As currently built the setkeytab extended operation (implemented in ipa-pwd-extop plugin) allows a user with enough permissions to set kerberos keys in ldap.
The keys transmitted are already encoded and therefore it is not possible to inspect the originating secret to apply password policies.
While the only current client (ipa-getkeytab) does not allow setting arbitrary passwords, a new set of patches has been proposed on the freeipa-devel list to allow it.
Appropriate restrictions on which accounts can be changed through this extended operation should be enforced, possibly a new version of the same interface developed to allow application of password policies before the change is granted.
Comment 3 Rob Crittenden 2010-09-15 17:59:57 UTC 
https://fedorahosted.org/freeipa/ticket/232
Comment 5 Martin Kosek 2015-01-21 12:31:02 UTC 
Thank you taking your time and submitting this request for FreeIPA in Fedora. Unfortunately, this bug was not given a priority and was deferred both in Fedora and in the upstream FreeIPA project.

Given that we are unable to fulfill this request in following Fedora releases, I am closing the Bugzilla as DEFERRED. To request re-consideration of this decision please reopen this Bugzilla and provide additional technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.