[38155] in Kerberos
Re: -allow_tgs_req
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Jan 8 23:15:51 2018
From: Russ Allbery <eagle@eyrie.org>
To: Chris Hecker <checker@d6.com>
In-Reply-To: <CAOdMLc2VBekbxUuDKkk=wnmOeOJFkn_K2FAnnLfdqihTr-L=cg@mail.gmail.com>
(Chris Hecker's message of "Tue, 09 Jan 2018 04:07:08 +0000")
Date: Mon, 08 Jan 2018 20:15:41 -0800
Message-ID: <87d12jekgi.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Chris Hecker <checker@d6.com> writes:
> Ah. Is there any way to prevent a service princ from being able to get
> tickets?
> As in, if one of my service keytabs is compromised, can I prevent those
> princs from being used like a normal user princ?
I think you want -allow_tix.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos