hi,
does anybody rotate host keytabs? Is it worth it security-wise?
Reading on how AD computer objects reset their password every 30 days ( https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-passwor...) got me thinking about the host keytabs ...
Any ideas about this?
-- Groeten, natxo
Natxo Asenjo via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
does anybody rotate host keytabs? Is it worth it security-wise?
Hi, krb5 maintainer here. Keytab rotation is ugly. I recommend not doing it if you can avoid it largely because one of two things will happen:
- All clients who have credentials against the old keytab will see messy, inexplicable authentication failures.
- If you try to get around that by keeping the old entry around in the keytab (i.e., multiple kvnos), you haven't actually accomplished anything.
So there's a serious trade-off between any security benefit that might accrue and the burden of cleaning up afterward.
Service keytabs (of which host keytabs are an instance) in freeIPA aren't tied to a user-supplied password. (Outside freeIPA, they usually aren't either.) Therefore, I don't see a vector in which rotating them is helpful, unless you're worried about the strength of the underlying cryptography (and if you're worried about AES-256, I'm not sure there's much anyone can do to help).
Thanks, --Robbie
I can see only one possible advantage. If someone becomes root and steals your keytab, regular rotation will limit how long the compromise lasts. Of course that assumes that you fix the problem that allowed them to become root in the first place.
You could add the new credential, keeping old and new, and then wait long enough before removing the old one that no one would still be using it. I haven’t tried that though.
On May 17, 2018, at 7:48 PM, Robbie Harwood via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Natxo Asenjo via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
does anybody rotate host keytabs? Is it worth it security-wise?
Hi, krb5 maintainer here. Keytab rotation is ugly. I recommend not doing it if you can avoid it largely because one of two things will happen:
- All clients who have credentials against the old keytab will see
messy, inexplicable authentication failures.
- If you try to get around that by keeping the old entry around in the
keytab (i.e., multiple kvnos), you haven't actually accomplished anything.
So there's a serious trade-off between any security benefit that might accrue and the burden of cleaning up afterward.
Service keytabs (of which host keytabs are an instance) in freeIPA aren't tied to a user-supplied password. (Outside freeIPA, they usually aren't either.) Therefore, I don't see a vector in which rotating them is helpful, unless you're worried about the strength of the underlying cryptography (and if you're worried about AES-256, I'm not sure there's much anyone can do to help).
Thanks, --Robbie _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Charles Hedrick hedrick@cs.rutgers.edu writes:
I can see only one possible advantage. If someone becomes root and steals your keytab, regular rotation will limit how long the compromise lasts. Of course that assumes that you fix the problem that allowed them to become root in the first place.
And that they don't give themselves persistence on the system once they have root. Persistence is almost impossible to detect when one is actively looking for it - I would at the very least reinstall the entire OS from scratch on any compromised machine. Depending on threat model, it's worth considering an entirely new machine for baremetal compromise.
You could add the new credential, keeping old and new, and then wait long enough before removing the old one that no one would still be using it. I haven’t tried that though.
It's still a bit tricky because you have to prune the keytab, but yes, it can be done. But again, I don't see a use case.
Thanks, --Robbie
sure. We’re not actually doing this.
On Jun 22, 2018, at 11:38 AM, Robbie Harwood rharwood@redhat.com wrote:
Charles Hedrick hedrick@cs.rutgers.edu writes:
I can see only one possible advantage. If someone becomes root and steals your keytab, regular rotation will limit how long the compromise lasts. Of course that assumes that you fix the problem that allowed them to become root in the first place.
And that they don't give themselves persistence on the system once they have root. Persistence is almost impossible to detect when one is actively looking for it - I would at the very least reinstall the entire OS from scratch on any compromised machine. Depending on threat model, it's worth considering an entirely new machine for baremetal compromise.
You could add the new credential, keeping old and new, and then wait long enough before removing the old one that no one would still be using it. I haven’t tried that though.
It's still a bit tricky because you have to prune the keytab, but yes, it can be done. But again, I don't see a use case.
Thanks, --Robbie
freeipa-users@lists.fedorahosted.org
-
Charles Hedrick -
Natxo Asenjo -
Robbie Harwood