Any set of flags on a princ to allow an AS but no TGS request?
Greg Hudson
ghudson at mit.edu
Thu Aug 2 02:06:43 EDT 2018
On 08/02/2018 12:52 AM, Chris Hecker wrote:> I'd like to make a princ
that can be used to test whether the kdc is
> working for login, but I don't want this princ to be able to get tickets
> to any services (except the initial TGT). I can turn off u2u with dup
> skey, and I tried setting the -maxlife to 0 but that defaulted to 24
> hours, and even setting -maxlife "1 second" still lets kvno get tickets
> for a while (I assume for the clock skew window, though the tickets have
> a start time after their expires time, so maybe they're not usable, I
> haven't tried using them). Am I missing something obvious?
You could in theory enable anonymous access by creating
WELLKNOWN/ANONYMOUS and then set "restrict_anonymous_to_tgt = true" in
the realm config, and then test for KDC liveness using anonymous PKINIT.
But then you'd have to set up PKINIT, and that seems like a lot for
this purpose.
Aside from that I don't think there's any built-in functionality for
this. In 1.16+ you could write a kdcpolicy module to implement that
restriction.
You'll also want to prevent AS requests for services other than
krbtgt/REALM; in particular you don't want the client to be able to get
tickets for kadmin/* or it could change its password.
More information about the Kerberos
mailing list