Red Hat Bugzilla – Bug 459037
the setkeytab extended operation may allow users to set a password ignoring password policies
Last modified: 2015-01-21 07:31:02 EST
As currently built the setkeytab extended operation (implemented in ipa-pwd-extop plugin) allows a user with enough permissions to set kerberos keys in ldap.
The keys transmitted are already encoded and therefore it is not possible to inspect the originating secret to apply password policies.
While the only current client (ipa-getkeytab) does not allow setting arbitrary passwords, a new set of patches has been proposed on the freeipa-devel list to allow it.
Appropriate restrictions on which accounts can be changed through this extended operation should be enforced, possibly a new version of the same interface developed to allow application of password policies before the change is granted.
Thank you taking your time and submitting this request for FreeIPA in Fedora. Unfortunately, this bug was not given a priority and was deferred both in Fedora and in the upstream FreeIPA project.
Given that we are unable to fulfill this request in following Fedora releases, I am closing the Bugzilla as DEFERRED. To request re-consideration of this decision please reopen this Bugzilla and provide additional technical details about its importance to you.
Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.