How can I prevent a user principal from accessing a kerberoized service/host?

Garrett Wollman wollman at bimajority.org
Sun Nov 25 13:35:08 EST 2007


In article <mailman.2.1195976449.11331.kerberos at mit.edu>,
Amir Saad  <eng__amir at hotmail.com> wrote:

>I use MIT Kerberos 5 & OpenLDAP to manage my network users. I can login
>successfully to all machines using my Kerberos principal. I need to
>create a limited account that is able to access only a few
>hosts/services not all machines/services. How can I do this? 

You use whatever access-control mechanisms are provided by those
services.  Kerberos is an authentication protocol, not an
authorization service.

-GAWollman

-- 
Garrett A. Wollman   | The real tragedy of human existence is not that we are
wollman at csail.mit.edu| nasty by nature, but that a cruel structural asymmetry
Opinions not those   | grants to rare events of meanness such power to shape
of MIT or CSAIL.     | our history. - S.J. Gould, Ten Thousand Acts of Kindness



More information about the Kerberos mailing list