This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 459037 - the setkeytab extended operation may allow users to set a password ignoring password policies
the setkeytab extended operation may allow users to set a password ignoring p...
Status: CLOSED DEFERRED
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
1.0
All Linux
high Severity medium
: future release
: ---
Assigned To: Simo Sorce
Ben Levenson
:
Depends On:
Blocks: 431020
  Show dependency treegraph
 
Reported: 2008-08-13 16:52 EDT by Simo Sorce
Modified: 2015-01-21 07:31 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-21 07:31:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Simo Sorce 2008-08-13 16:52:50 EDT
As currently built the setkeytab extended operation (implemented in ipa-pwd-extop plugin) allows a user with enough permissions to set kerberos keys in ldap.
The keys transmitted are already encoded and therefore it is not possible to inspect the originating secret to apply password policies.
While the only current client (ipa-getkeytab) does not allow setting arbitrary passwords, a new set of patches has been proposed on the freeipa-devel list to allow it.
Appropriate restrictions on which accounts can be changed through this extended operation should be enforced, possibly a new version of the same interface developed to allow application of password policies before the change is granted.
Comment 3 Rob Crittenden 2010-09-15 13:59:57 EDT
https://fedorahosted.org/freeipa/ticket/232
Comment 5 Martin Kosek 2015-01-21 07:31:02 EST
Thank you taking your time and submitting this request for FreeIPA in Fedora. Unfortunately, this bug was not given a priority and was deferred both in Fedora and in the upstream FreeIPA project.

Given that we are unable to fulfill this request in following Fedora releases, I am closing the Bugzilla as DEFERRED. To request re-consideration of this decision please reopen this Bugzilla and provide additional technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.

Note You need to log in before you can comment on or make changes to this bug.