[4608] in Kerberos
Re: Kerberos Login/Authorizations
daemon@ATHENA.MIT.EDU (Donald Sharp#Other)
Mon Feb 13 11:11:56 1995
Date: Mon, 13 Feb 1995 10:55:07 -0500
From: Donald Sharp#Other <cc32859@vantage.FMR.Com>
To: kerberos%MIT.EDU@stowe.FMR.Com
Cc: michaelc%ramnet.net@stowe.FMR.Com
Michael Crisp writes:
> Is there any way to limit how many logins or authorizations Kerberos
> will allow for a single user? I am using Kerberos 4 and would like to
> limit users to a single session by denying tickets to a user who
> already has an authorized session. Thanks for any help you can give
> me.
It isn't easy, but could possibly be done by modifying the source code
appropriately. It violates one of the central principles of the
Kerberos design, however: that of stateless services. (Although
statelessness is already violated by caching, but violating the design
does tend to increase the complexity and error-proneness of the
implementation.)
What you'd need to do is modify the key distribution service to keep
track of the ticket-granting tickets outstanding. When a request for
a TGT arrives, it's checked against the list of extant TGT's, and
rejected if there's a match.
Complications may arise from forwardable or proxiable tickets, or
multiple realms, but in V4 you' should be relatively immune from those
effects. Replicated servers would also cause a problem; you would
have to arrange for all replicas in a domain to become aware of all
TGT's granted by any one of them.
Also, you'd have to be sure to modify the kadmin service to give you a
way to remove an obsolete TGT (from all of the replicas, of course) to
allow legitimate users to get a new TGT in case of catastrophic
failure (like hardware crashes etc.)
What would be the purpose of limiting the number of logins for a
single user anyway?
Don
--------
Don Sharp cc32859@vantage.fmrco.com
Fidelity Investments (617) 570-3905
82 Devonshire St. A2A
Boston, MA 02109
