URL: https://github.com/freeipa/freeipa/pull/4061
Author: RichardKalinec
Title: #4061: doc/designs: Add a design page for application-specific passwords
Action: opened
PR body:
"""
This design page describes a new enhancement: application-specific
passwords and permissions management for them. Users will be able to
have additional passwords besides the primary one, and set permissions
for them specifying what systems and services will each
application-specific password have access to. Application-specific
passwords will also be usable with other authentication mechanisms
incorporating passwords, namely otp, radius and hardened. They will
also be supported by ipa-kdb for Kerberos authentication.
https://pagure.io/freeipa/issue/4510
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4061/head:pr4061
git checkout pr4061
URL: https://github.com/freeipa/freeipa/pull/3275
Author: marcus2376
Title: #3275: Issue 7975 - Accept 389-ds JSON replication status messages
Action: opened
PR body:
"""
Description:
389-ds now stores a replication agreement status message in a JSON string in a new attribute:
replicaLastInitStatusJSON
replicaLastUpdateStatusJSON
The original status attributes' values are not changing at this time, but there are plans to do so eventually as the old status format is confusing.
http://www.port389.org/docs/389ds/design/repl-agmt-status-design.htmlhttps://pagure.io/freeipa/issue/7975
Reviewed by: ?
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3275/head:pr3275
git checkout pr3275
URL: https://github.com/freeipa/freeipa/pull/3774
Author: stanislavlevin
Title: #3774: [DNSSEC] WIP Allow using of a custom OpenSSL engine for BIND
Action: opened
PR body:
"""
For now Debian, Fedora, RHEL, etc. build BIND with 'native PKCS11'
support. Till recently, that was the strict requirement of DNSSEC.
The problem is that this restricts cross-platform features of FreeIPA.
With the help of libp11, which provides `pkcs11` engine plugin for
the OpenSSL library for accessing PKCS11 modules in a semi-
transparent way, FreeIPA could utilize OpenSSL version of BIND.
BIND in turn provides ability to specify the OpenSSL engine on the
command line of `named` and all the BIND `dnssec-*` tools by using
the `-E engine_name`.
Currently, this PR implements just an abstract ability.
Actual configuration and tests results could be seen in my fork Azure Pipelines:
https://dev.azure.com/slev0400/slev/_build/results?buildId=627&view=logs&j=…https://dev.azure.com/slev0400/slev/_build/results?buildId=627&view=logs&j=…
Related: https://pagure.io/freeipa/issue/8094
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3774/head:pr3774
git checkout pr3774
URL: https://github.com/freeipa/freeipa/pull/3544
Author: mulatinho
Title: #3544: [WIP] ipa-join: allowing call with jsonrpc into freeipa API
Action: opened
PR body:
"""
- Adding JSON-C and LibCURL library into configure.ac and Makefile.am
- Creating a API call with option '-j' or '--jsonrpc' to make host join on FreeIPA with JSONRPC and libCURL.
TODO: unenroll process with JSONRPC.
To test the call:
# kinit admin
# ipa-join -s server.freeipa.ipadomain -j
Debug:
# ipa-join -s server.freeipa.ipadomain -j -d
Related: https://pagure.io/freeipa/issue/7966
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3544/head:pr3544
git checkout pr3544
Hello!
The FreeIPA team would like to announce FreeIPA 4.6.9 release!
It can be downloaded from http://www.freeipa.org/page/Downloads.
== Highlights in 4.6.9 ==
* CVE-2020-10747
It was found that if an account with a name corresponding to an account
local to a system, such as 'root', was created via IPA, such account could
access any enrolled machine with that identitity and the local system
privileges. This also bypass the absence of explicit HBAC rules.
Since the account can only be created by user administrators in FreeIPA,
several changes were done to tighten permissions and prevent creation of 'root'
identity by mistake.
root principal alias
-------------------
The principal "root@REALM" is now a Kerberos principal alias for "admin". This
prevent user with "User Administrator" role or "System: Add User" privilege to
create an account with "root" principal name.
Modified user permissions
-------------------------
Several user permissions no longer apply to admin users and filter on
posixAccount object class. This prevents user managers from modifying admin
acounts:
- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user
``System: Unlock User`` permission is now restricted because the permission
also allows a user manager to lock an admin account.
``System: Modify Users`` is restricted to prevent user managers from changing
login shell or notification channels (mail, mobile) of admin accounts.
New user permission
-------------------
- System: Change Admin User password
This new permission allows manipulation of admin user password fields. By
default only the ``PassSync Service`` privilege is allowed to modify admin user
password fields.
Modified group permissions
--------------------------
Group permissions are now restricted as well. Group admins can no longer modify
the admins group and are limited to groups with object class ``ipausergroup``.
- System: Modify Groups
- System: Remove Groups
The permission ``System: Modify Group Membership`` was already limited.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos…)
or #freeipa channel on Freenode.
== Resolved tickets ==
* [https://pagure.io/freeipa/issue/8326 #8326] CVE-2020-10747
== Detailed changelog since 4.6.8 ==
=== Alexander Bokovoy (1) ===
* Become FreeIPA 4.6.9 [https://pagure.io/freeipa/c/4f1f8754742d55263a7da89575c5d94b5ea4c7e3 commit]
=== Christian Heimes (1) ===
* Prevent local account takeover [https://pagure.io/freeipa/c/316ac7cd62ac130f88b374c1f9f47b41806187c1 commit] [https://pagure.io/freeipa/issue/8326 #8326]
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
Hello!
The FreeIPA team would like to announce FreeIPA 4.8.8 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora distributions will be available from the official repository soon.
== Highlights in 4.8.8 ==
* CVE-2020-10747
It was found that if an account with a name corresponding to an account
local to a system, such as 'root', was created via IPA, such account could
access any enrolled machine with that identitity and the local system
privileges. This also bypass the absence of explicit HBAC rules.
Since the account can only be created by user administrators in FreeIPA,
several changes were done to tighten permissions and prevent creation of 'root'
identity by mistake.
root principal alias
-------------------
The principal "root@REALM" is now a Kerberos principal alias for "admin". This
prevent user with "User Administrator" role or "System: Add User" privilege to
create an account with "root" principal name.
Modified user permissions
-------------------------
Several user permissions no longer apply to admin users and filter on
posixAccount object class. This prevents user managers from modifying admin
acounts:
- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user
``System: Unlock User`` permission is now restricted because the permission
also allows a user manager to lock an admin account.
``System: Modify Users`` is restricted to prevent user managers from changing
login shell or notification channels (mail, mobile) of admin accounts.
New user permission
-------------------
- System: Change Admin User password
This new permission allows manipulation of admin user password fields. By
default only the ``PassSync Service`` privilege is allowed to modify admin user
password fields.
Modified group permissions
--------------------------
Group permissions are now restricted as well. Group admins can no longer modify
the admins group and are limited to groups with object class ``ipausergroup``.
- System: Modify Groups
- System: Remove Groups
The permission ``System: Modify Group Membership`` was already limited.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos…)
or #freeipa channel on Freenode.
== Resolved tickets ==
* [https://pagure.io/freeipa/issue/8326 #8326] CVE-2020-10747
== Detailed changelog since 4.8.7 ==
=== Alexander Bokovoy (1) ===
* Become FreeIPA 4.8.8 [https://pagure.io/freeipa/c/86ab7590779b9e25c6a52cf5a785925103d9ee8a commit]
=== Christian Heimes (1) ===
* Prevent local account takeover [https://pagure.io/freeipa/c/65c2736bd20ffb9d98769e71d905f71d1a4d857e commit] [https://pagure.io/freeipa/issue/8326 #8326]
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
URL: https://github.com/freeipa/freeipa/pull/4807
Author: flo-renaud
Title: #4807: [Backport][ipa-4-8] ipatests: fix the disable_dnssec_validation method
Action: opened
PR body:
"""
This PR was opened automatically because PR #4800 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4807/head:pr4807
git checkout pr4807
URL: https://github.com/freeipa/freeipa/pull/4808
Author: tiran
Title: #4808: Move ipa-epn systemd files and run RPM hooks
Action: opened
PR body:
"""
The init/systemd directory is for server only and not part of
CLIENT_ONLY builds.
It's necesary to run pre/post installation hooks to make systemd aware
of new files.
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4808/head:pr4808
git checkout pr4808