Tying user keytabs to IPs?

[K. Bruner]

We are investigating using Kerberos authentication with Oracle.  We have
one Oracle application username that needs to connect from scripts from a
couple of machines, but we don't want to hardcode the Oracle (or any) 
password into the scripts.  I haven't been able to find a way to tie a
user keytab to just one machine, so my understanding is that the keytab
could be copied to other machines, and since the KDC/TGS can't disallow
based on IP, we can't prevent keytab proliferation.

Is there something I'm missing?  I don't supposed I can wrap the KDC in
TCP wrappers....  IP-based authorization from Oracle has apparently been
problematic for us in the past.

One other possibility is that because we're running the KDC on linux, we
could just IP tables to allow Kerberos connections only from certain
hosts.