*** This bug is a duplicate of bug 1772447 ***
https://bugs.launchpad.net/bugs/1772447
keestux <kees.bak...@xs4all.nl> writes:
> That anonymous PKINIT is required right now to enable two-factor
> authentication login to web UI because since FreeIPA 4.5 we cannot use
> HTTP service keytab anymore: FreeIPA framework lost access to the keytab
> due to privilege separation work we did (read
> https://vda.li/en/docs/freeipa-debug-privsep/ for details)
> Since your KDC PKINIT certificate might be issued by a local self-signed
> certmonger 'CA' in case you are not using integrated FreeIPA CA, we have
> to be able to trust *that* public KDC certificate when running 'kinit
> -n', thus we need access to it. "
> He also suggested that this should be changed in Ubuntu. If the directory
> /var/lib/krb5kdc becomes readable (perhaps chmod 711) then it would solve
> this issue.
It seems rather ironic that privilege separation leads to a request to
grant FreeIPA access to (admittedly only the directory of) the single most
sensitive and security-critical component of the entire Kerberos
infrastructure.
I think there should be some other way of solving this. The public KDC
certificate is, well, public, so maybe don't put it in /var/lib/krb5kdc,
which is not? (I always put mine in /etc/krb5kdc.)
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1791325
Title:
freeipa server needs read access /var/lib/krb5kdc
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1791325/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
