[17354] in Kerberos_V5_Development


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Extensible kadm5 policies

daemon@ATHENA.MIT.EDU (Roland C. Dowdeswell)
Tue Nov 1 14:45:51 2011

Date: Tue, 1 Nov 2011 18:45:47 +0000
From: "Roland C. Dowdeswell" <elric@imrryr.org>
To: Russ Allbery <rra@stanford.edu>
Message-ID: <20111101184547.GA6649@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <877h3jixm0.fsf@windlord.stanford.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On Tue, Nov 01, 2011 at 10:03:19AM -0700, Russ Allbery wrote:
>

> I would love to be able to set some principal flags via a policy as well.
> Things like disallow-forwardable and disallow-proxiable, for example, for
> root instance principals.

I agree with this.  Another flag that would be quite nice to put
into policies would be -allow_srv which should be set on all
principals which have passwds to prevent dictionary attacks against
vended service tickets.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[17354] in Kerberos_V5_Development

Re: Extensible kadm5 policies

daemon@ATHENA.MIT.EDU (Roland C. Dowdeswell)Tue Nov 1 14:45:51 2011

daemon@ATHENA.MIT.EDU (Roland C. Dowdeswell)
Tue Nov 1 14:45:51 2011