freeipa/daemons
Alexander Bokovoy 00f8ddbfd2
ipa-kdb: add better detection of allowed user auth type
If default user authentication type is set to a list that does not
include a password or a hardened credential, the resulting configuration
might be incorrect for special service principals, including a krbtgt/..
one.

Add detection of special principals to avoid these situations and always
allow password or hardened for services.

Special handling is needed for the following principals:

 - krbtgt/..       -- TGT service principals
 - K/M             -- master key principal
 - kadmin/changepw -- service for changing passwords
 - kadmin/kadmin   -- kadmin service principal
 - kadmin/history  -- key used to encrypt history

Additionally, implicitly allow password or hardened credential use for
IPA services and IPA hosts since applications typically use keytabs for
that purpose.

Fixes: https://pagure.io/freeipa/issue/9485

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-12-22 10:34:19 +01:00
..
dnssec pylint: remove useless suppression 2023-01-10 08:30:58 +01:00
ipa-kdb ipa-kdb: add better detection of allowed user auth type 2023-12-22 10:34:19 +01:00
ipa-otpd ipa-otpd: add passkey_child_debug_level option 2023-06-01 08:20:37 +02:00
ipa-sam ipa-sam: retrieve trusted domain account credential from the TDO itself 2022-04-13 18:37:12 +02:00
ipa-slapi-plugins Issue 9497 - update debug logging in ipa_uuid 2023-12-14 09:24:46 +01:00
ipa-version.h.in Build: move version handling from Makefile to configure 2016-11-09 13:08:32 +01:00
Makefile.am build: Unify compiler warning flags used 2021-01-15 14:11:56 +01:00