[38157] in Kerberos
Re: -allow_tgs_req
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Jan 8 23:28:30 2018
From: Russ Allbery <eagle@eyrie.org>
To: Chris Hecker <checker@d6.com>
In-Reply-To: <CAOdMLc04_R_Wuohkrdhh1iwkqk3XpTSiwwL4bv1zY6Y6CREAxw@mail.gmail.com>
(Chris Hecker's message of "Tue, 09 Jan 2018 04:24:59 +0000")
Date: Mon, 08 Jan 2018 20:28:16 -0800
Message-ID: <878td7ejvj.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Chris Hecker <checker@d6.com> writes:
> Ah, I assumed that was symmetric for some reason. I obviously need to
> be able to get tickets for these services. Not sure why I thought that.
> I'll check it out, thanks!
It is symmetric, yeah, so it has the problem that you're assuming it has.
I don't think there's a way to disable exactly the bit that you want.
There's -allow_svr, which prevents issuing service tickets for the
principal, and -allow_tix, which presents issuing any tickets at all, but
I don't think there's a flag to keep from allowing that principal to
authenticate and get a TGT.
Maybe -pwexpire in the past would do what you want? I'm not sure how that
interacts with service tickets.
Note, however, that if your keytab is compromised, the attacker can issue
arbitrary service tickets for your service in any identity they chose, so
I'm not sure you would want to leave service tickets enabled in that
situation.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
