Security
FreeIPA: centralized identity management for Linux
It is well understood that centralized management of user identity information offers numerous benefits for networks of almost any size, but Linux has traditionally lacked an "out of the box" solution in this area. This article will examine the FreeIPA system, which is meant to provide that solution using well-established free software components.A workable solution for the problem of central identity management (IdM) necessarily consists of integrated components and interfaces to store and manage authentication, identity, and policy information as well as allowing delegation of various tasks to different stakeholders as appropriate. And in today's cloudy atmosphere, a plain user identity and authentication management solution would fall flat without addressing, among other, the needs of secure computer-to-computer and service-to-service communications.
While in the Windows world our cousins have long enjoyed a coherent solution in the form of Active Directory (AD) to tackle these issues, no such integrated, free solution has been available for Linux. From a technical perspective it has been possible to set up a centralized IdM server on Linux by configuring multiple services and components individually. However a comparison between the deployment of standards like LDAP and Kerberos for IdM on Linux and Windows is illustrative: both are ubiquitous in the Windows world while still far from the norm in the Linux world. If we reject the idea that this disparity is due to the superior skills of Windows administrators compared to their Linux counterparts, the most convincing explanation must be the lack of proper tools on Linux. And quite often what is hard to deploy is hard to manage; in other words, the real question is not whether something can be done (it can) but whether it can be effectively and reliably maintained (it depends).
Enter FreeIPA
FreeIPA (Free Identity, Policy, and Audit) builds on existing components and services to create a coherent and easy-to-deploy identity management system.
Manually configuring services such as certificate management, DNS, LDAP and Kerberos on a Linux server (which represent only a subset of FreeIPA functionality) would be a significant task even for a skilled administrator, especially considering that, in the case of IdM, securing and tuning the services according to best practices is a necessity. And the follow-up task of making all this work fault tolerant does not exactly sound like a pleasure cruise either. However, with FreeIPA all this can be achieved in a matter of minutes by answering a few simple questions (such as domain name or administrator passwords) asked by the ipa-server-install tool, which will then configure, secure, and integrate all the needed IdM components and services.
In addition to this server configuration capability, FreeIPA provides a web UI and a unified command-line tool which can be used to manage data and services. For FreeIPA clients, a configuration tool, called ipa-client-install, is provided which will enroll a Linux system into the IPA domain and enable services like SSSD (although using traditional client-side components to certain extent is also possible) with the needed certificates and Kerberos keys to enable secure client-to-server communications.
Features and use cases
FreeIPA does not try to reinvent the wheel when providing IdM features, instead it adds integration and functionality between production-hardened services like the MIT Kerberos, 389 LDAP Directory, Certificate System, Apache, BIND DNS, NTPD, and certain Samba components.
The use of Kerberos for authentication and LDAP for account and information management should be unsurprising; these standards are very widely established so it makes perfect sense to put them at the heart of FreeIPA. While the standards themselves are in wide use already, details often differ when deployment is done manually by different administrators. This is where FreeIPA comes to the rescue by providing predefined configurations, freeing up administrators to concentrate on higher-level aspects of IdM and also providing consistency across deployments. Together with SSSD, IPA also easily allows using LDAP for host-based authentication control (HBAC), SSH host key management, and sudo rules. Using Kerberos authentication with services like Apache, CIFS file shares, and SSH allows single sign-on (SSO) for users and provides strong security in the form of mutual authentication.
On the IPA server side, the Dogtag Certificate System is used to manage certificates, including certificate issuance and revocation. On the client side, certmonger can be used track and renew client certificates. With these two components as part of a FreeIPA deployment, certificate management becomes a lot easier than with running homemade scripts and manually transferring the certificate files around, usually in haste after getting complaints that a certificate is expired and blocking a production system. This should also make users, at least in an ideal world, less likely to blindly ignore certificate related warnings when they become a very rare occurrence. With certificates and Kerberos principals for servers and services in place, FreeIPA enables reliable service-to-service and computer-to-computer communications.
DNS integration can be used as an example of how administrators are provided with flexibility when deploying FreeIPA. BIND, configured with the bind-dyndb-ldap plugin, can, optionally, be set up as the domain DNS during deployment, but whether it makes sense to use it for controlling a delegated DNS domain or take control of the entire DNS infrastructure depends on the environment. The FreeIPA managed DNS setup automatically provides SRV records for autodiscovery and IPA clients canalso be configured to update their current IP addresses using GSS-TSIG secured DNS Updates.
In addition to integrating components on a FreeIPA server, with the recently released FreeIPA version 3 it is now also possible to integrate FreeIPA itself with an existing Active Directory-based IdM infrastructure by using the new IPA-AD trust feature. This means that once a trust between FreeIPA and AD domains has been established by administrators, users from the trusted AD domain are allowed SSO- and password-based access to services in the FreeIPA domain. And this of course works the other way around: FreeIPA users are able to access services in the Windows domain with their Kerberos credentials obtained from the FreeIPA domain. At this point the platform of any given service becomes irrelevant for users as any service is seamlessly accessible, lowering the barriers of Linux and Windows integration considerably.
Another notable benefit is that administrators will be able to enroll their Linux systems into their FreeIPA domain instead of joining them directly to Microsoft AD — something that is known to cause slight organizational challenges every now and then. Naturally, though, operating system specific characteristics provided by FreeIPA and AD, such as SELinux policies and Windows group policies (GPOs), are only applicable to the respective client systems.
Using FreeIPA
After the initial installation, it is possible to use both the web UI and command-line interface for administration. An experienced administrator might prefer using the command-line approach but the browser-based web UI makes delegating certain tasks — such as user and group creation and management — to less seasoned operators feasible. Both interfaces utilize the same internal framework so, apart from a few seldom-used tasks provided only by the command-line interface, both interfaces can be used to achieve the same results.
Depending on a single server for IdM in an entire organization would of course be asking for serious trouble. Although the offline caching features provided by SSSD mitigate this risk, the ipa-replica-install command can be used to easily setup IdM server replicas as appropriate in a given environment. Replication topology can also be later adjusted to allow for optimized configurations when multiple geographical locations are involved.
Although the full benefits of FreeIPA are available only when using SSSD on clients, tools are available to make migration from existing solutions like NIS easier. A plugin that will serve data over the NIS protocol from the LDAP database is available, and also a compatibility plugin that provides the same LDAP data using the older RFC2307 schema is available for those older LDAP clients that can't use RFC2307bis extensions. The same plugin also provides netgroup maps built from the internal grouping model available in FreeIPA. So the rather typical use case of NIS to manage users, netgroups, and automounter maps can be migrated to FreeIPA-controlled domains on a system-by-system basis as feasible.
Conclusions and Future
FreeIPA offers an integrated solution built on proven components for centralized identity management. It provides a wide range of features and also allows for Windows domain integration in mixed environments. The approach taken by FreeIPA — integrating existing, proven components and greatly facilitating setup and management — makes FreeIPA an appealing IdM solution for small and larger on-site and cloud-based environments alike. The full server and client packaging is already available for distributions like Fedora and included in RHEL 6. Client packages are available in varying states of maturity for Ubuntu, Debian, and Arch Linux, with the server side expected to follow a bit later.
What the future holds for FreeIPA is, of course, open to user needs and community feedback. The 'A' part (audit) of IPA is currently not being actively worked on but it might be another case of integrating a proven component into FreeIPA. Other notable areas of future work include, for example, DHCP integration and support for two-factor authentication with one-time passwords, smart cards, and user certificates.
Compared to the manual configuration approach of a large number of individual components FreeIPA already offers many benefits for administrators and users. As the scale of computing environments keeps growing, the need for a centralized IdM solution is getting more and more important and FreeIPA is being actively developed to allow Linux administrators to scale with their ever-increasing responsibilities.
Brief items
Quotes of the week
Policymakers should be taking a serious look at this market and thinking about its implications. Do we want to foster an atmosphere where researchers turn away from disclosure, and vulnerability information is withheld from those who can fix problems? Do we want to increase incentives for finding vulnerabilities that won’t be fixed? Do we think we can keep this market from connecting bad guys with the information they want to exploit?
And, starting tonight, trying to connect bring me a message: "Your account has been disabled."
An Evaluation of the Application ("App") Verification Service in Android 4.2
NCSU Professor Xuxian Jiang has posted an assessment of the application verification service featured in the Android 4.2 release. "However, based on our evaluation results, we feel this service is still nascent and there exists room for improvement. Specifically, our study indicates that the app verification service mainly uses an app's SHA1 value and the package name to determine whether it is dangerous or potentially dangerous. This mechanism is fragile and can be easily bypassed. It is already known that attackers can change with ease the checksums of existing malware (e.g., by repackaging or mutating it)."
New vulnerabilities
bind9: denial of service
| Package(s): | bind9 | CVE #(s): | CVE-2012-5688 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 6, 2012 | Updated: | December 31, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that Bind incorrectly handled certain crafted queries when DNS64 was enabled. A remote attacker could use this flaw to cause Bind to crash, resulting in a denial of service. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
bogofilter: code execution
| Package(s): | bogofilter | CVE #(s): | CVE-2012-5468 | ||||||||||||||||||||||||||||
| Created: | December 12, 2012 | Updated: | April 9, 2013 | ||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
A heap-based buffer overflow was discovered in bogofilter, a software package for classifying mail messages as spam or non-spam. Crafted mail messages with invalid base64 data could lead to heap corruption and, potentially, arbitrary code execution. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
chromium: multiple vulnerabilities
| Package(s): | Chromium | CVE #(s): | CVE-2012-5130 CVE-2012-5131 CVE-2012-5132 CVE-2012-5133 CVE-2012-5134 CVE-2012-5135 CVE-2012-5136 CVE-2012-5137 CVE-2012-5138 | ||||||||||||||||||||||||
| Created: | December 12, 2012 | Updated: | December 12, 2012 | ||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
Chromium was updated to 25.0.1343 * Security Fixes (bnc#791234 and bnc#792154):
| ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cups: privilege escalation
| Package(s): | cups, cupsys | CVE #(s): | CVE-2012-5519 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 6, 2012 | Updated: | April 7, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that users in the lpadmin group could modify certain CUPS configuration options to escalate privileges. An attacker could use this to potentially gain root privileges. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gimp: code execution
| Package(s): | gimp | CVE #(s): | CVE-2012-5576 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 7, 2012 | Updated: | December 4, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that GIMP incorrectly handled malformed XWD files. If a user were tricked into opening a specially crafted XWD file, an attacker could cause GIMP to crash, or possibly execute arbitrary code with the user's privileges. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gnome-system-log: privilege escalation
| Package(s): | gnome-system-log | CVE #(s): | CVE-2012-5535 | ||||
| Created: | December 10, 2012 | Updated: | December 12, 2012 | ||||
| Description: | From the Red Hat bugzilla:
gnome-system-log-3.6.0-1.fc18 is set up so that $ gnome-system-log executes "logview" as root through pkexec, only asking for the invoking user's password (because the org.gnome.logview.config.date.pkexec.run (sic) action has default policy auth_self_keep). Running an X11 application as root in a session of a completely unprivileged user is risky enough in itself; however logview also allows (via the "wheel" button/Open) opening any file on the system, including /etc/shadow. This is at least a confidentiality violation; reading various authentication cookies or ssh private keys might even allow this to be amplified into a privilege escalation. | ||||||
| Alerts: |
| ||||||
horde4-imp: cross-site scripting
| Package(s): | horde4-imp | CVE #(s): | CVE-2012-5565 | ||||
| Created: | December 7, 2012 | Updated: | December 12, 2012 | ||||
| Description: | From the openSUSE advisory:
This version update to version 5.0.24 addresses CVE-2012-5565 (bnc#791179) to fix XSS vulnerabilities on the compose page (traditional view), the contacts popup window, and with certain IMAP mailbox names. | ||||||
| Alerts: |
| ||||||
horde4-kronolith: cross-site scripting
| Package(s): | horde4-kronolith | CVE #(s): | CVE-2012-5566 CVE-2012-5567 | ||||||||
| Created: | December 7, 2012 | Updated: | January 23, 2013 | ||||||||
| Description: | From the openSUSE advisory:
This version update to version 3.0.18 addresses bnc#791184: Two sets (3.0.17 and 3.0.18) of XSS flaws | ||||||||||
| Alerts: |
| ||||||||||
kernel: firewall bypass
| Package(s): | kernel | CVE #(s): | CVE-2012-4444 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 11, 2012 | Updated: | June 5, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Zhang Zuotao discovered a bug in the Linux kernel's handling of overlapping fragments in ipv6. A remote attacker could exploit this flaw to bypass firewalls and initial new network connections that should have been blocked by the firewall. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libtiff: code execution
| Package(s): | tiff | CVE #(s): | CVE-2012-5581 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 6, 2012 | Updated: | December 31, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that LibTIFF incorrectly handled certain malformed images using the DOTRANGE tag. If a user or automated system were tricked into opening a specially crafted TIFF image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mc: command execution
| Package(s): | mc | CVE #(s): | CVE-2012-4463 | ||||||||
| Created: | December 7, 2012 | Updated: | February 20, 2014 | ||||||||
| Description: | From the CVE entry:
Midnight Commander (mc) 4.8.5 does not properly handle the (1) MC_EXT_SELECTED or (2) MC_EXT_ONLYTAGGED environment variables when multiple files are selected, which allows user-assisted remote attackers to execute arbitrary commands via a crafted file name. | ||||||||||
| Alerts: |
| ||||||||||
openshift-console: code execution
| Package(s): | openshift-console | CVE #(s): | CVE-2012-5622 | ||||
| Created: | December 11, 2012 | Updated: | December 12, 2012 | ||||
| Description: | From the Red Hat advisory:
It was found that the OpenShift Management Console did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the OpenShift Management Console, into visiting an attacker controlled web page, the attacker could make changes to applications hosted within OpenShift Enterprise with the privileges of the victim which may lead to arbitrary code execution in the OpenShift Enterprise hosted applications. | ||||||
| Alerts: |
| ||||||
openstack-keystone: file permissions flaw
| Package(s): | openstack-keystone | CVE #(s): | CVE-2012-5483 | ||||||||
| Created: | December 11, 2012 | Updated: | December 12, 2012 | ||||||||
| Description: | From the Red Hat advisory:
When access to Amazon Elastic Compute Cloud (Amazon EC2) was configured, a file permissions flaw in Keystone allowed a local attacker to view the administrative access and secret values used for authenticating requests to Amazon EC2 services. An attacker could use this flaw to access Amazon EC2 and enable, disable, and modify services and settings. | ||||||||||
| Alerts: |
| ||||||||||
php-symfony2-HttpFoundation: multiple vulnerabilities
| Package(s): | php-symfony2-HttpFoundation | CVE #(s): | |||||||||
| Created: | December 10, 2012 | Updated: | December 12, 2012 | ||||||||
| Description: | Symfony v2.1.4 fixes multiple bugs, some of which could be security issues. See the symfony changelog for the details.
Version 2.0.19 also fixes lots of bugs. See this changelog for details. | ||||||||||
| Alerts: |
| ||||||||||
php-symfony-symfony: information disclosure
| Package(s): | php-symfony-symfony | CVE #(s): | CVE-2012-5574 | ||||||||||||
| Created: | December 6, 2012 | Updated: | May 19, 2014 | ||||||||||||
| Description: | From the Red Hat bugzilla:
An information disclosure flaw was found in the way Symfony, a open-source PHP web framework, sanitized certain HTTP POST request values. A remote attacker could use this flaw to obtain (unauthorized) read access to arbitrary system files, readable with the privileges of the web server process. | ||||||||||||||
| Alerts: |
| ||||||||||||||
plexus-cipher: insufficiently random salt
| Package(s): | plexus-cipher | CVE #(s): | |||||||||
| Created: | December 6, 2012 | Updated: | December 12, 2012 | ||||||||
| Description: | getSalt() falls back to Random (seeded by the current time) instead of SecureRandom.
These bugs just decreases the randomness of the salt/IV, so they may not actually result in an exploitable security vulnerability. But that depends on how this class is used. See the Red Hat bugzilla for details. | ||||||||||
| Alerts: |
| ||||||||||
tor: denial of service
| Package(s): | tor | CVE #(s): | CVE-2012-5573 | ||||||||||||||||||||||||
| Created: | December 7, 2012 | Updated: | March 25, 2013 | ||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
Tear down the circuit when receiving an unexpected SENDME cell. Prevents circumvention of the network's flow control, exhaustion of network resources and possible denial-of-service attacks on entry nodes | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
xen: multiple vulnerabilities
| Package(s): | Xen | CVE #(s): | CVE-2012-5510 CVE-2012-5511 CVE-2012-5512 CVE-2012-5514 CVE-2012-5515 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 6, 2012 | Updated: | December 24, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the SUSE advisory:
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2012-5592 CVE-2012-5593 CVE-2012-5594 CVE-2012-5595 CVE-2012-5596 CVE-2012-5597 CVE-2012-5598 CVE-2012-5599 CVE-2012-5600 CVE-2012-5601 CVE-2012-5602 | ||||||||||||||||||||||||||||||||||||||||
| Created: | December 10, 2012 | Updated: | January 23, 2013 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
Wireshark security update to 1.8.4: https://www.wireshark.org/docs/relnotes/wireshark-1.8.4.html http://seclists.org/oss-sec/2012/q4/378 CVE-2012-5592 Wireshark #1 pcap-ng hostname disclosure (wnpa-sec-2012-30) CVE-2012-5593 Wireshark #2 DoS (infinite loop) in the USB dissector (wnpa-sec-2012-31) CVE-2012-5594 Wireshark #3 DoS (infinite loop) in the sFlow dissector (wnpa-sec-2012-32) CVE-2012-5595 Wireshark #4 DoS (infinite loop) in the SCTP dissector (wnpa-sec-2012-33) CVE-2012-5596 Wireshark #5 DoS (infinite loop) in the EIGRP dissector (wnpa-sec-2012-34) CVE-2012-5597 Wireshark #6 DoS (crash) in the ISAKMP dissector (wnpa-sec-2012-35) CVE-2012-5598 Wireshark #7 DoS (infinite loop) in the iSCSI dissector (wnpa-sec-2012-36) CVE-2012-5599 Wireshark #8 DoS (infinite loop) in the WTP dissector (wnpa-sec-2012-37) CVE-2012-5600 Wireshark #9 DoS (infinite loop) in the RTCP dissector (wnpa-sec-2012-38) CVE-2012-5601 Wireshark #10 DoS (infinite loop) in the 3GPP2 A11 dissector (wnpa-sec-2012-39) CVE-2012-5602 Wireshark #11 DoS (infinite loop) in the ICMPv6 dissector (wnpa-sec-2012-40) | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
Page editor: Michael Kerrisk
Next page:
Kernel development>>