|
 |
34b659 |
From 018266f9dcc06cedcfe679ed32870dd3eda2ece7 Mon Sep 17 00:00:00 2001
|
|
|
53a374 |
From: David Kupka <dkupka@redhat.com>
|
|
|
53a374 |
Date: Thu, 29 Sep 2016 15:59:34 +0200
|
|
|
53a374 |
Subject: [PATCH] password policy: Add explicit default password policy for
|
|
|
53a374 |
hosts and services
|
|
|
53a374 |
|
|
|
53a374 |
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
|
|
|
53a374 |
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
|
|
|
53a374 |
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
|
|
|
53a374 |
CoS so no attributes are really added.
|
|
|
53a374 |
|
|
|
53a374 |
The default policies effectively disable any enforcement or lockout for hosts
|
|
|
53a374 |
and services. Since hosts and services use keytabs passwords enforcements
|
|
|
53a374 |
doesn't make much sense. Also the lockout policy could be used for easy and
|
|
|
53a374 |
cheap DoS.
|
|
|
53a374 |
|
|
|
53a374 |
https://fedorahosted.org/freeipa/ticket/6561
|
|
|
53a374 |
|
|
|
53a374 |
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
|
|
|
53a374 |
---
|
|
|
53a374 |
install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++
|
|
|
53a374 |
install/updates/Makefile.am | 1 +
|
|
|
53a374 |
ipaserver/install/service.py | 1 +
|
|
|
53a374 |
3 files changed, 135 insertions(+)
|
|
|
53a374 |
create mode 100644 install/updates/20-default_password_policy.update
|
|
|
53a374 |
|
|
|
53a374 |
diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
|
|
|
53a374 |
new file mode 100644
|
|
|
53a374 |
index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce
|
|
|
53a374 |
--- /dev/null
|
|
|
53a374 |
+++ b/install/updates/20-default_password_policy.update
|
|
|
53a374 |
@@ -0,0 +1,133 @@
|
|
|
53a374 |
+# Default password policies for hosts, services and Kerberos services
|
|
|
53a374 |
+# Setting all attributes to zero effectively disables any password policy
|
|
|
53a374 |
+# We can do this because hosts and services uses keytabs instead of passwords
|
|
|
53a374 |
+
|
|
|
53a374 |
+# hosts
|
|
|
53a374 |
+dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
|
|
|
53a374 |
+default:objectClass: krbPwdPolicy
|
|
|
53a374 |
+default:objectClass: nsContainer
|
|
|
53a374 |
+default:objectClass: top
|
|
|
53a374 |
+default:cn: Default Host Password Policy
|
|
|
53a374 |
+default:krbMinPwdLife: 0
|
|
|
53a374 |
+default:krbPwdMinDiffChars: 0
|
|
|
53a374 |
+default:krbPwdMinLength: 0
|
|
|
53a374 |
+default:krbPwdHistoryLength: 0
|
|
|
53a374 |
+default:krbMaxPwdLife: 0
|
|
|
53a374 |
+default:krbPwdMaxFailure: 0
|
|
|
53a374 |
+default:krbPwdFailureCountInterval: 0
|
|
|
53a374 |
+default:krbPwdLockoutDuration: 0
|
|
|
53a374 |
+
|
|
|
53a374 |
+# services
|
|
|
53a374 |
+dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
|
|
|
53a374 |
+default:objectClass: krbPwdPolicy
|
|
|
53a374 |
+default:objectClass: nsContainer
|
|
|
53a374 |
+default:objectClass: top
|
|
|
53a374 |
+default:cn: Default Service Password Policy
|
|
|
53a374 |
+default:krbMinPwdLife: 0
|
|
|
53a374 |
+default:krbPwdMinDiffChars: 0
|
|
|
53a374 |
+default:krbPwdMinLength: 0
|
|
|
53a374 |
+default:krbPwdHistoryLength: 0
|
|
|
53a374 |
+default:krbMaxPwdLife: 0
|
|
|
53a374 |
+default:krbPwdMaxFailure: 0
|
|
|
53a374 |
+default:krbPwdFailureCountInterval: 0
|
|
|
53a374 |
+default:krbPwdLockoutDuration: 0
|
|
|
53a374 |
+
|
|
|
53a374 |
+# kerberos policy container
|
|
|
53a374 |
+# this is necessary to avoid mixing the Kerberos sevice password policy
|
|
|
53a374 |
+# with group-membership based user password policies
|
|
|
53a374 |
+dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
|
|
53a374 |
+default:objectClass: nsContainer
|
|
|
53a374 |
+default:objectClass: top
|
|
|
53a374 |
+default:cn: Kerberos Service Password Policy
|
|
|
53a374 |
+
|
|
|
53a374 |
+# kerberos services
|
|
|
53a374 |
+dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
|
|
53a374 |
+default:objectClass: krbPwdPolicy
|
|
|
53a374 |
+default:objectClass: nsContainer
|
|
|
53a374 |
+default:objectClass: top
|
|
|
53a374 |
+default:cn: Default Kerberos Service Password Policy
|
|
|
53a374 |
+default:krbMinPwdLife: 0
|
|
|
53a374 |
+default:krbPwdMinDiffChars: 0
|
|
|
53a374 |
+default:krbPwdMinLength: 0
|
|
|
53a374 |
+default:krbPwdHistoryLength: 0
|
|
|
53a374 |
+default:krbMaxPwdLife: 0
|
|
|
53a374 |
+default:krbPwdMaxFailure: 0
|
|
|
53a374 |
+default:krbPwdFailureCountInterval: 0
|
|
|
53a374 |
+default:krbPwdLockoutDuration: 0
|
|
|
53a374 |
+
|
|
|
53a374 |
+# default password policies for hosts, services and kerberos services
|
|
|
53a374 |
+# cosPriority is set intentionally to higher number than FreeIPA API allows
|
|
|
53a374 |
+# to set to ensure that these password policies have always lower priority
|
|
|
53a374 |
+# than any defined by user.
|
|
|
53a374 |
+
|
|
|
53a374 |
+# hosts
|
|
|
53a374 |
+dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
|
|
53a374 |
+default:objectclass: top
|
|
|
53a374 |
+default:objectclass: nsContainer
|
|
|
53a374 |
+default:cn: cosTemplates
|
|
|
53a374 |
+
|
|
|
53a374 |
+dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
|
|
53a374 |
+default:objectclass: top
|
|
|
53a374 |
+default:objectclass: cosTemplate
|
|
|
53a374 |
+default:objectclass: extensibleObject
|
|
|
53a374 |
+default:objectclass: krbContainer
|
|
|
53a374 |
+default:cn: Default Password Policy
|
|
|
53a374 |
+default:cosPriority: 10000000000
|
|
|
53a374 |
+default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
|
|
|
53a374 |
+
|
|
|
53a374 |
+dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
|
|
|
53a374 |
+default:description: Default Password Policy for Hosts
|
|
|
53a374 |
+default:objectClass: top
|
|
|
53a374 |
+default:objectClass: ldapsubentry
|
|
|
53a374 |
+default:objectClass: cosSuperDefinition
|
|
|
53a374 |
+default:objectClass: cosPointerDefinition
|
|
|
53a374 |
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
|
|
53a374 |
+default:cosAttribute: krbPwdPolicyReference default
|
|
|
53a374 |
+
|
|
|
53a374 |
+# services
|
|
|
53a374 |
+dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
|
|
53a374 |
+default:objectclass: top
|
|
|
53a374 |
+default:objectclass: nsContainer
|
|
|
53a374 |
+default:cn: cosTemplates
|
|
|
53a374 |
+
|
|
|
53a374 |
+dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
|
|
53a374 |
+default:objectclass: top
|
|
|
53a374 |
+default:objectclass: cosTemplate
|
|
|
53a374 |
+default:objectclass: extensibleObject
|
|
|
53a374 |
+default:objectclass: krbContainer
|
|
|
53a374 |
+default:cn: Default Password Policy
|
|
|
53a374 |
+default:cosPriority: 10000000000
|
|
|
53a374 |
+default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
|
|
|
53a374 |
+
|
|
|
53a374 |
+dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
|
|
|
53a374 |
+default:description: Default Password Policy for Services
|
|
|
53a374 |
+default:objectClass: top
|
|
|
53a374 |
+default:objectClass: ldapsubentry
|
|
|
53a374 |
+default:objectClass: cosSuperDefinition
|
|
|
53a374 |
+default:objectClass: cosPointerDefinition
|
|
|
53a374 |
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
|
|
53a374 |
+default:cosAttribute: krbPwdPolicyReference default
|
|
|
53a374 |
+
|
|
|
53a374 |
+# kerberos services
|
|
|
53a374 |
+dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
|
|
53a374 |
+default:objectclass: top
|
|
|
53a374 |
+default:objectclass: nsContainer
|
|
|
53a374 |
+default:cn: cosTemplates
|
|
|
53a374 |
+
|
|
|
53a374 |
+dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
|
|
53a374 |
+default:objectclass: top
|
|
|
53a374 |
+default:objectclass: cosTemplate
|
|
|
53a374 |
+default:objectclass: extensibleObject
|
|
|
53a374 |
+default:objectclass: krbContainer
|
|
|
53a374 |
+default:cn: Default Password Policy
|
|
|
53a374 |
+default:cosPriority: 10000000000
|
|
|
53a374 |
+default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
|
|
53a374 |
+
|
|
|
53a374 |
+dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
|
|
53a374 |
+default:description: Default Password Policy for Kerberos Services
|
|
|
53a374 |
+default:objectClass: top
|
|
|
53a374 |
+default:objectClass: ldapsubentry
|
|
|
53a374 |
+default:objectClass: cosSuperDefinition
|
|
|
53a374 |
+default:objectClass: cosPointerDefinition
|
|
|
53a374 |
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
|
|
53a374 |
+default:cosAttribute: krbPwdPolicyReference default
|
|
|
53a374 |
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
|
|
|
53a374 |
index 455fd209d171888dc94a7f708dc5fa1743f62bf4..310ae39c3b659cbe897380f572824acb26009574 100644
|
|
|
53a374 |
--- a/install/updates/Makefile.am
|
|
|
53a374 |
+++ b/install/updates/Makefile.am
|
|
|
53a374 |
@@ -23,6 +23,7 @@ app_DATA = \
|
|
|
53a374 |
20-winsync_index.update \
|
|
|
53a374 |
20-idoverride_index.update \
|
|
|
53a374 |
20-uuid.update \
|
|
|
53a374 |
+ 20-default_password_policy.update \
|
|
|
53a374 |
21-replicas_container.update \
|
|
|
53a374 |
21-ca_renewal_container.update \
|
|
|
53a374 |
21-certstore_container.update \
|
|
|
53a374 |
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
|
|
|
53a374 |
index 057cd3d4b512513a4e3a8f228dc5f07f31fd84e0..6bb2e76f64ac11abc426c70c645cfb042be474c2 100644
|
|
|
53a374 |
--- a/ipaserver/install/service.py
|
|
|
53a374 |
+++ b/ipaserver/install/service.py
|
|
|
53a374 |
@@ -252,6 +252,7 @@ class Service(object):
|
|
|
53a374 |
# There is no service in the wrong location, nothing to do.
|
|
|
53a374 |
# This can happen when installing a replica
|
|
|
53a374 |
return None
|
|
|
53a374 |
+ entry.pop('krbpwdpolicyreference', None) # don't copy virtual attr
|
|
|
53a374 |
newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
|
|
|
53a374 |
hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
|
|
|
53a374 |
self.admin_conn.delete_entry(entry)
|
|
|
53a374 |
--
|
|
|
34b659 |
2.7.4
|
|
|
53a374 |
|