[37966] in Kerberos
Re: Limit kinit by client address?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Apr 19 14:09:52 2017
To: Wang Jian <larkwang@gmail.com>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <a0093160-3ba1-f3da-d2f5-9116a78de37f@mit.edu>
Date: Wed, 19 Apr 2017 14:09:24 -0400
MIME-Version: 1.0
In-Reply-To: <CAF75rJDxXYTzWRa3xuNZdS6S+gENPK-gyNg-9Mb61gU=4Sb-6Q@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 04/19/2017 08:10 AM, Wang Jian wrote:
> I used to think that I can limit kinit by client address for certain
> principal, using a preauth plugin. [...]
> Now, we do have such demand. But when I start to implement it, I find
> that in no way client address can be retrieved from context paramters
> in plugin.
I think that's true. We could add a callback to retrieve the client
address. But more importantly, you can't write a kdcpreauth plugin
module so that it gets consulted independently of the client trying to
use a specific preauthentication mechanism over the wire.
We do have a wishlist item of implementing a pluggable KDC policy
interface (independent of the KDB module, which already gets to make
policy decisions). If we did that, and made the client address
available through that interface, a policy plugin module could make this
decision.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
