|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
To: Chris Hecker <checker@d6.com>, "kerberos@mit.edu" <kerberos@mit.edu> From: Greg Hudson <ghudson@mit.edu> Message-ID: <10b438f7-0832-7cd6-3110-6960e5a9758b@mit.edu> Date: Thu, 2 Aug 2018 02:06:43 -0400 MIME-Version: 1.0 In-Reply-To: <0491303d-ed97-341f-cdff-41534ef8710e@d6.com> Content-Language: en-US Content-Type: text/plain; charset="utf-8" Errors-To: kerberos-bounces@mit.edu Content-Transfer-Encoding: 8bit On 08/02/2018 12:52 AM, Chris Hecker wrote:> I'd like to make a princ that can be used to test whether the kdc is > working for login, but I don't want this princ to be able to get tickets > to any services (except the initial TGT). I can turn off u2u with dup > skey, and I tried setting the -maxlife to 0 but that defaulted to 24 > hours, and even setting -maxlife "1 second" still lets kvno get tickets > for a while (I assume for the clock skew window, though the tickets have > a start time after their expires time, so maybe they're not usable, I > haven't tried using them). Am I missing something obvious? You could in theory enable anonymous access by creating WELLKNOWN/ANONYMOUS and then set "restrict_anonymous_to_tgt = true" in the realm config, and then test for KDC liveness using anonymous PKINIT. But then you'd have to set up PKINIT, and that seems like a lot for this purpose. Aside from that I don't think there's any built-in functionality for this. In 1.16+ you could write a kdcpolicy module to implement that restriction. You'll also want to prevent AS requests for services other than krbtgt/REALM; in particular you don't want the client to be able to get tickets for kadmin/* or it could change its password. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |