[37962] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Limit kinit by client address?

daemon@ATHENA.MIT.EDU (Wang Jian)
Wed Apr 19 08:10:50 2017

MIME-Version: 1.0
From: Wang Jian <larkwang@gmail.com>
Date: Wed, 19 Apr 2017 20:10:30 +0800
Message-ID: <CAF75rJDxXYTzWRa3xuNZdS6S+gENPK-gyNg-9Mb61gU=4Sb-6Q@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

I used to think that I can limit kinit by client address for certain
principal, using a preauth plugin. The plugin can check the client
address against one of principal's string attribute, such as
"allowfrom", preventing keytab theft in an automation environment.
That's just an idea that I didn't implement.  I know that kinit can
limit TGT's addresses, which can prevent TGT theft to some extent.

Now, we do have such demand. But when I start to implement it, I find
that in no way client address can be retrieved from context paramters
in plugin.

Is the idea realizable? Am I missing something or my assumption basically wrong?

Regards,

Wang Jian
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[37962] in Kerberos

Limit kinit by client address?

daemon@ATHENA.MIT.EDU (Wang Jian)Wed Apr 19 08:10:50 2017

daemon@ATHENA.MIT.EDU (Wang Jian)
Wed Apr 19 08:10:50 2017