Authorization from some IPs

Sam Hartman hartmans at MIT.EDU
Fri Feb 20 06:27:54 EST 2004


>>>>> "Sensei" == Sensei  <noone at nowhere.org> writes:

    Sensei> Hi.  I have a(nother) question for kerberos. As we're
    Sensei> setting up a centralized login, we have a problem.

    Sensei> Our dept. is made of 8~10 labs, and we'd like to handle
    Sensei> logins under *one* machine, but distinguish each login
    Sensei> request from a lab to another.

    Sensei> I mean, every user should be able to login *only* from a
    Sensei> particular lab, using the central kerberos auth, and
    Sensei> should *not* be able to do so from an ip beloging to
    Sensei> another lab. Note that we have all static ips and names.

Then you're going to be adding code to the Kerberos implementation or
checking the IP at a non-Kerberos layer. 

IP-based restrictions sort of go against the whole point of Kerberos.
They aren't very secure and they are not cryptographically based.  As
such, the current Kerberos implementations do not support them.

A PAM module may be able to help you.



More information about the Kerberos mailing list