how to "ban" clients?
Greg Hudson
ghudson at MIT.EDU
Mon Aug 8 01:51:55 EDT 2011
On Wed, 2011-07-27 at 06:35 -0400, Chris Hecker wrote:
> Okay, I implemented this today.
We may add a feature like this at some point, in order to provide fast
revocation for high-value services. In order to get any solid security
guarantees, the service would need to set a short maximum lifetime, and
would need to force reauthentications upon ticket expiration.
I can't provide any timeline, though. Relative to your patch, we would
likely need to address:
* Precisely how the client lookup should be done (what flags,
basically). Canonicalization of the client principal should not
generally be needed since it will have been done during the AS request.
* Consideration of edge cases, such as when the client principal entry
has been deleted or renamed or deleted and recreated since the AS
request.
* Consideration of whether to extend the DAL interface's TGS
verification function to take the client DB entry as input when
available.
* A long-overdue refactoring of the TGS code path before additional
complexity is added to it.
* Documentation.
* Automated test cases.
More information about the Kerberos
mailing list