-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added initial version of a Kerberos plugin #1456
Conversation
8ea0150
to
075e3a6
Compare
Looks like a good start. The only "thing" is that this would be better to be placed in a category. I guess this could be Authentication or if you feel like it will be a good amount of tests, then we could introduce a new one "Kerberos". Rationale to move it: these tests do more than just collect information (main purpose of plugins), and may actually provide suggestions/warnings. For that reason it is better to make it part of the core, instead of a plugin. |
Ok. I'll do that then. Surely this is related to authentication, but maybe it would be good to place it into it's own Kerberos category. Or what do you think?
Makes sense. |
I would say, let's create a new section 🚀 So my suggestions for the steps:
If possible, it would be good for the layout to first detect if Kerberos is there at all. If not, then let's at least show one line so that the section does not remain empty on the screen. If there is no Kerberos at all, then all remaining tests can be silent if they are skipped. Keeps the screen as clean as possible, unless there is actually something useful to share. |
* Check that admin principals have disallow_tgt_based attribute * Check that regular user principals have requires_pre_auth and disallow_svr attributes * Check for weak crypto * Use kdb5_util for this
According to @mboelen's recommendations: CISOfy#1456 (comment)
Merged! |
I have updated the language files so they are aware of the translation variable as well. The section need a few minor adjustments, as it now shows output even though I have no Kerberos on my test system. Will see what I can do tomorrow to improve the output. |
|
As it says in the title, this is only an initial version. I wanted to open this PR to also open the discussion on the Kerberos hardening topic.
All the feedback is very welcome.
I'm planning on extending this and adding tests for at least:
krb5.conf
(clients) andkdc.conf
(KDC) for hardened settingsChecking for keys with weak encryption types-> 075e3a6