[38159] in Kerberos
Re: -allow_tgs_req
daemon@ATHENA.MIT.EDU (Chris Hecker)
Mon Jan 8 23:33:12 2018
MIME-Version: 1.0
In-Reply-To: <878td7ejvj.fsf@hope.eyrie.org>
From: Chris Hecker <checker@d6.com>
Date: Tue, 09 Jan 2018 04:32:46 +0000
Message-ID: <CAOdMLc0iaNJ-j_tcp3jDYpQqq074t9Re-St1yWX9wz3sQd3Bjg@mail.gmail.com>
To: Russ Allbery <eagle@eyrie.org>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Right, I will disable the princ when I find out obviously, I just want the
person to not be able to use it as a user princ to get tickets to other
services in the meantime. Does that make sense or am I missing something?
Chris
On Mon, Jan 8, 2018 at 20:28 Russ Allbery <eagle@eyrie.org> wrote:
> Chris Hecker <checker@d6.com> writes:
>
> > Ah, I assumed that was symmetric for some reason. I obviously need to
> > be able to get tickets for these services. Not sure why I thought that.
> > I'll check it out, thanks!
>
> It is symmetric, yeah, so it has the problem that you're assuming it has.
> I don't think there's a way to disable exactly the bit that you want.
> There's -allow_svr, which prevents issuing service tickets for the
> principal, and -allow_tix, which presents issuing any tickets at all, but
> I don't think there's a flag to keep from allowing that principal to
> authenticate and get a TGT.
>
> Maybe -pwexpire in the past would do what you want? I'm not sure how that
> interacts with service tickets.
>
> Note, however, that if your keytab is compromised, the attacker can issue
> arbitrary service tickets for your service in any identity they chose, so
> I'm not sure you would want to leave service tickets enabled in that
> situation.
>
> --
> Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
