Go to file
Julien Rische 4a61184da6
kdb: apply combinatorial logic for ticket flags
The initial design for ticket flags was implementing this logic:
* If a ticket policy is defined for the principal entry, use flags from
  this policy if they are set. Otherwise, use default ticket flags.
* If no ticket policy is defined for the principal entry, but there is a
  global one, use flags from the global ticket policy if they are set.
  Otherwise, use default ticket flags.
* If no policy (principal nor global) is defined, use default ticket
  flags.

However, this logic was broken by a1165ffb which introduced creation of
a principal-level ticket policy in case the ticket flag set is modified.
This was typically the case for the -allow_tix flag, which was set
virtually by the KDB driver when a user was locked until they initialize
their password on first kinit pre-authentication.

This was causing multiple issues, which are mitigated by the new
approach:

Now flags from each level are combined together. There flags like
+requires_preauth which are set systematically by the KDB diver, as
well as -allow_tix which is set based on the value of "nsAccountLock".
This commit also adds the implicit -allow_svr ticket flag for user
principals to protect users against Kerberoast-type attacks. None of
these flags are stored in the LDAP database, they are hard-coded in the
KDB driver.

In addition to these "virtual" ticket flags, flags from both global and
principal ticket policies are applied (if these policies exist).

Principal ticket policies are not supported for hosts and services, but
this is only an HTTP API limitation. The "krbTicketPolicyAux" object
class is supported for all account types. This is required for ticket
flags like +ok_to_auth_as_delegate. Such flags can be set using "ipa
host-mod" and "ipa serivce-mod", or using kadmin's "modprinc".

It is possible to ignore flags from the global ticket policy or default
flags like -allow_svr for a user principal by setting the
"final_user_tkt_flags" string attribute to "true" in kadmin. In this
case, any ticket flag can be configured in the principal ticket policy,
except requires_preauth and allow_tix.

When in IPA setup mode (using the "ipa-setup-override-restrictions" KDB
argument), all the system described above is disabled and ticket flags
are written in the principal ticket policy as they are provided. This is
required to initialize the Kerberos LDAP container during IPA server
installation.

This fixes CVE-2024-3183

Signed-off-by: Julien Rische <jrische@redhat.com>
2024-06-10 12:46:05 +02:00
.copr Adding auto COPR builds 2019-12-14 14:20:34 +02:00
.github Let GH auto-notify and auto-close stale PRs 2020-05-06 20:17:01 +02:00
asn1 fix minor spelling mistakes 2017-05-19 09:52:46 +02:00
client frontend: add systemd journal audit of executed API commands 2024-05-22 17:06:23 -04:00
contrib Replace usage of #!/usr/bin/env python3 with #!/usr/bin/python3 2023-05-31 09:21:48 +02:00
daemons kdb: apply combinatorial logic for ticket flags 2024-06-10 12:46:05 +02:00
doc kdb: fix vulnerability in GCD rules handling 2024-06-10 12:46:05 +02:00
init frontend: add systemd journal audit of executed API commands 2024-05-22 17:06:23 -04:00
install ipa-replica-manage list-ruvs: display FQDN in the output 2024-05-28 14:39:33 +02:00
ipaclient ipa-client-install: add support for sss_ssh_knownhosts 2024-05-17 09:53:53 +02:00
ipalib console: for public errors only print a final one 2024-05-28 11:14:35 +02:00
ipaplatform ipa-client-install: add support for sss_ssh_knownhosts 2024-05-17 09:53:53 +02:00
ipapython Support the certmonger nss-user option 2024-05-16 08:46:32 -04:00
ipaserver custodia: do not use deprecated jwcrypto wrappers 2024-05-23 15:12:27 -04:00
ipasphinx ipasphinx: Correct import of progress_message for Sphinx 6.1.0+ 2023-04-28 13:20:30 -04:00
ipatests batch: add keeponly option 2024-05-22 10:03:38 +02:00
po Update translations to FreeIPA master state 2024-05-28 16:11:04 +02:00
pypi Cleanup shebang and executable bit 2018-07-05 19:46:42 +02:00
selinux Add SELinux subpackage for Thales Luna HSM support 2024-05-16 08:46:32 -04:00
util kdb: apply combinatorial logic for ticket flags 2024-06-10 12:46:05 +02:00
.freeipa-pr-ci.yaml ipatests: revert wrong commit on gating definition 2021-11-02 11:40:25 +01:00
.git-commit-template Commit template: use either Fixes or Related 2022-02-14 11:21:01 +02:00
.gitignore gitignore: add install/oddjob/org.freeipa.server.config-enable-sid 2022-08-16 13:07:03 +02:00
.lgtm.yml Replace netifaces with ifaddr 2024-05-03 16:35:19 -04:00
.mailmap mailmap: add ftweedal 2020-11-11 14:08:35 +02:00
.readthedocs.yaml docs: add the readthedocs configuration 2022-05-04 09:36:40 +03:00
.tox-install.sh azure: Don't customize pip's builddir 2021-10-21 08:03:03 +02:00
.wheelconstraints.in pylint: updates related to deprecations 2024-01-09 08:40:47 +01:00
ACI.txt Add permissions for topologysegment 2024-05-22 10:00:39 +02:00
API.txt batch: add keeponly option 2024-05-22 10:03:38 +02:00
autogen.sh build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches 2010-11-29 11:39:55 -05:00
BUILD.txt BUILD.txt: remove redundant dnf-builddep option 2022-07-05 14:26:52 +02:00
CODE_OF_CONDUCT.md Changing Django's CoC to reflect FreeIPA CoC 2018-03-26 09:51:25 +02:00
configure.ac frontend: add systemd journal audit of executed API commands 2024-05-22 17:06:23 -04:00
Contributors.txt Update list of contributors 2024-05-28 16:13:33 +02:00
COPYING Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
COPYING.openssl Add a clear OpenSSL exception. 2015-02-23 16:25:54 +01:00
freeipa.doap.rdf Adding modified DOAP file 2018-06-22 11:02:40 -04:00
freeipa.spec.in frontend: add systemd journal audit of executed API commands 2024-05-22 17:06:23 -04:00
gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc spec: verify upstream source signature 2023-04-18 08:32:54 +02:00
ipa.in Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
ipasetup.py.in Replace netifaces with ifaddr 2024-05-03 16:35:19 -04:00
make-doc Make an ipa-tests package 2013-06-17 19:22:50 +02:00
make-test Use pytest conftest.py and drop pytest.ini 2017-01-05 17:37:02 +01:00
makeaci.in Warn for permissions with read/write/search/compare and no attrs 2022-07-15 16:59:15 +02:00
makeapi.in doc: allow notes on Param API Reference pages 2023-03-29 10:53:25 +02:00
Makefile.am Add SELinux subpackage for Thales Luna HSM support 2024-05-16 08:46:32 -04:00
Makefile.python.am Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb 2017-03-15 13:48:23 +01:00
Makefile.pythonscripts.am ipa-scripts: fix all ipa command line scripts to operate with -I 2019-09-19 10:44:09 -04:00
makerpms.sh Fix unnecessary usrmerge assumptions 2019-04-17 13:56:05 +02:00
pylint_plugins.py pylint: updates related to deprecations 2024-01-09 08:40:47 +01:00
pylintrc Replace netifaces with ifaddr 2024-05-03 16:35:19 -04:00
README.md Update IRC links to point to Libera.chat 2021-05-27 18:26:28 +03:00
server.m4 ipa-pwd-extop: add MFA note in case of a successful LDAP bind with OTP 2024-03-12 13:53:11 +01:00
tox.ini rpcserver: validate Kerberos principal name before running kinit 2024-02-21 17:07:33 -05:00
VERSION.m4 Back to git snapshots 2024-05-28 16:26:57 +02:00

FreeIPA Server

FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.

Benefits

FreeIPA:

  • Allows all your users to access all the machines with the same credentials and security settings
  • Allows users to access personal files transparently from any machine in an authenticated and secure way
  • Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
  • Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
  • Enables delegation of selected administrative tasks to other power users
  • Integrates into Active Directory environments

Components

The FreeIPA project provides unified installation and management tools for the following components:

Project Website

Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .

Documentation

The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .

Quick Start

To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide

For developers

Licensing

Please see the file called COPYING.

Contacts