how to "ban" clients?

Chris Hecker checker at d6.com
Sun Jul 24 05:00:01 EDT 2011


More details from looking at the kdc code...it looks like 
validate_tgs_request in kdc_util.c only checks the server's attributes 
for KRB5_KDB_DISALLOW_ALL_TIX, while validate_as_request checks both 
client and server.  It seems like it'd be easy to add the client check 
to validate_tgs_request, but I'd also have to get the client db entry in 
do_tgs_req.

I must be missing something, though, since it seems like this would be 
something that's already supported...

Chris


On 2011/07/24 01:13, Chris Hecker wrote:
>
> I want to be able to disable client accounts when necessary, even if
> they currently have a live krbtgt. I understand I can't revoke live
> tickets, so any existing live sessions they have will still work until
> they expire, and I'm fine with that, but I don't want them to be able to
> get any more tickets to new services and users.
>
> I thought setting -allow_tix and -allow_tgs_req would do it, but I can
> still get new valid tickets for services from an account with those
> flags set.
>
> The krb5kdc.log knows who's asking for the ticket, and it prints out:
>
> Jul 24 02:45:55 blah.com krb5kdc[17432](info): TGS_REQ (4 etypes {18 17
> 16 23}) 1.1.1.1: ISSUE: authtime 1311493077, etypes {rep=18 tkt=18
> ses=18}, a at BLAH.COM for b at BLAH.COM
>
> even though a at BLAH.COM has:
>
> Attributes: DISALLOW_TGT_BASED DISALLOW_ALL_TIX REQUIRES_PRE_AUTH
>
> There must be some way to do this? I totally get the aspect of not being
> able to revoke live tickets and sessions, and those having to expire,
> but getting new tickets seems like something that should be disable-able?
>
> The -allow_tgs_req entry on man kadmin seems like it would be what I
> want, since the log above says it's a TGS_REQ, but the entry says, "This
> option is useless for most things." so I'm obviously misunderstanding
> what it does. Yet -allow_tix only seems to prevent tickets from being
> issued _FOR_ the princ with it set, so b at BLAH.COM above, which I don't
> want to disable, since it's a service others will be using. I just want
> a at BLAH.COM to stop working.
>
> As a bonus, I'd like services to be able to check if a at BLAH.COM has an
> enabled account, and -allow_tix seems to work for that, since if the
> service tries to get a ticket for a at BLAH.COM it fails.
>
> What am I missing?
>
> Thanks,
> Chris
>
>



More information about the Kerberos mailing list