[38154] in Kerberos
Re: -allow_tgs_req
daemon@ATHENA.MIT.EDU (Chris Hecker)
Mon Jan 8 23:07:44 2018
MIME-Version: 1.0
In-Reply-To: <87h8rvel8x.fsf@hope.eyrie.org>
From: Chris Hecker <checker@d6.com>
Date: Tue, 09 Jan 2018 04:07:08 +0000
Message-ID: <CAOdMLc2VBekbxUuDKkk=wnmOeOJFkn_K2FAnnLfdqihTr-L=cg@mail.gmail.com>
To: Russ Allbery <eagle@eyrie.org>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ah. Is there any way to prevent a service princ from being able to get
tickets?
As in, if one of my service keytabs is compromised, can I prevent those
princs from being used like a normal user princ?
Chris
On Mon, Jan 8, 2018 at 19:58 Russ Allbery <eagle@eyrie.org> wrote:
> Chris Hecker <checker@d6.com> writes:
>
> > If -allow_tgs_req / DISALLOW_TGT_BASED is set on a service princ then I
> > shouldn't be able to kinit with it, right? I'm able to get TGTs though
> > with kinit and the keytab for this service, and then get service tickets
> > with kvno; I need to update my KDC and see if this is still true, or
> > mabye I'm misunderstanding how it works...?
>
> That prevents other principals from getting service tickets for that
> principal using a TGT. It's intended for principals like kadmin/changepw
> that want to force an AS-REQ to get a service ticket for that principal.
>
> It doesn't have any effect on authenticating as that principal.
>
> --
> Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
