[38158] in Kerberos
Re: -allow_tgs_req
daemon@ATHENA.MIT.EDU (Chris Hecker)
Mon Jan 8 23:32:47 2018
MIME-Version: 1.0
In-Reply-To: <CAOdMLc04_R_Wuohkrdhh1iwkqk3XpTSiwwL4bv1zY6Y6CREAxw@mail.gmail.com>
From: Chris Hecker <checker@d6.com>
Date: Tue, 09 Jan 2018 04:28:43 +0000
Message-ID: <CAOdMLc1Kd+UyM8udGCfDFV_fr7r1u0UOoGFitCT2L9OrfO0sUA@mail.gmail.com>
To: Russ Allbery <eagle@eyrie.org>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hmm, yeah, I can't get tickets to a service with -allow_tix on it. I'll
have to look into why if that's supposed to work, I made a couple
modifications to my KDC in this area a while back.
Chris
On Mon, Jan 8, 2018 at 20:24 Chris Hecker <checker@d6.com> wrote:
>
> Ah, I assumed that was symmetric for some reason. I obviously need to be
> able to get tickets for these services. Not sure why I thought that. I'll
> check it out, thanks!
>
> Chris
>
>
> On Mon, Jan 8, 2018 at 20:15 Russ Allbery <eagle@eyrie.org> wrote:
>
>> Chris Hecker <checker@d6.com> writes:
>>
>> > Ah. Is there any way to prevent a service princ from being able to get
>> > tickets?
>>
>> > As in, if one of my service keytabs is compromised, can I prevent those
>> > princs from being used like a normal user princ?
>>
>> I think you want -allow_tix.
>>
>> --
>> Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/
>> >
>>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
