Forwardable tickets - need help

Emil Grama egrama at gmail.com
Thu Sep 23 01:09:33 EDT 2010


Thank you for your help!

We are not using NAT, so I am not concerned about using IP addresses
to control where a ticket can be used from.
I tried playing with the noaddresses option in krb5.conf: if I request
a ticket with address I get one, if I request one without I also get
one.
I would like to restrict this at kdc level so only tickets with
address are issued. Any idea if it can be done and how?

Emil

On Fri, Sep 17, 2010 at 10:34 PM, Nicolas Williams
<Nicolas.Williams at oracle.com> wrote:
> On Fri, Sep 17, 2010 at 10:40:19AM -0700, egrama wrote:
>> Shouldn't a non-forwardable ticket be good only on the host to which
>> it was issued to (host A in our example)?
>
> Because of NAT the use of addresses to control where a ticket can be
> used from has become difficult at best to keep going, thus many sites
> use address-less tickets, which in turn can be "forwarded" anywhere you
> want.
>
> The solution to this should be to require that a ticket be used in
> conjunction with another ticket for a client host principal
> corresponding to the host that the ticket is tied down to.  This would
> have to be done via authorization-data elements in the Authenticator.
>
> Nico
> --
>




More information about the Kerberos mailing list