how to "ban" clients?

Chris Hecker checker at d6.com
Sun Jul 24 05:19:21 EDT 2011


I seem to like replying to myself late at night while trying to figure 
this stuff out...

While I'm in the KDC code, I notice this related check in 
validate_tgs_request:

     /* Server must be allowed to be a service */
     if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) {
         *status = "SERVER NOT ALLOWED";
         return(KDC_ERR_MUST_USE_USER2USER);
     }

Do I want to set -allow_svr on all my clients, since I know they'll only 
ever be clients in a client<->server relationship, or u2u with another 
client?  Is there any reason to or not to set the flag?

Hmm, wait, if I set -allow_svr on b at BLAH.COM, then fails even on a 
KRB5_GC_USER_USER krb5_get_credentials where b is the creds->server...

Hmm^2, this code is slightly different between 1.9.1 and 1.6.1, or at 
least the error return is different, so maybe this was fixed to work 
like I think it should after 1.6.1.  I need to build my own kdc on CentOS...

Chris



On 2011/07/24 02:00, Chris Hecker wrote:
>
> More details from looking at the kdc code...it looks like
> validate_tgs_request in kdc_util.c only checks the server's attributes
> for KRB5_KDB_DISALLOW_ALL_TIX, while validate_as_request checks both
> client and server. It seems like it'd be easy to add the client check to
> validate_tgs_request, but I'd also have to get the client db entry in
> do_tgs_req.
>
> I must be missing something, though, since it seems like this would be
> something that's already supported...
>
> Chris
>
>
> On 2011/07/24 01:13, Chris Hecker wrote:
>>
>> I want to be able to disable client accounts when necessary, even if
>> they currently have a live krbtgt. I understand I can't revoke live
>> tickets, so any existing live sessions they have will still work until
>> they expire, and I'm fine with that, but I don't want them to be able to
>> get any more tickets to new services and users.
>>
>> I thought setting -allow_tix and -allow_tgs_req would do it, but I can
>> still get new valid tickets for services from an account with those
>> flags set.
>>
>> The krb5kdc.log knows who's asking for the ticket, and it prints out:
>>
>> Jul 24 02:45:55 blah.com krb5kdc[17432](info): TGS_REQ (4 etypes {18 17
>> 16 23}) 1.1.1.1: ISSUE: authtime 1311493077, etypes {rep=18 tkt=18
>> ses=18}, a at BLAH.COM for b at BLAH.COM
>>
>> even though a at BLAH.COM has:
>>
>> Attributes: DISALLOW_TGT_BASED DISALLOW_ALL_TIX REQUIRES_PRE_AUTH
>>
>> There must be some way to do this? I totally get the aspect of not being
>> able to revoke live tickets and sessions, and those having to expire,
>> but getting new tickets seems like something that should be disable-able?
>>
>> The -allow_tgs_req entry on man kadmin seems like it would be what I
>> want, since the log above says it's a TGS_REQ, but the entry says, "This
>> option is useless for most things." so I'm obviously misunderstanding
>> what it does. Yet -allow_tix only seems to prevent tickets from being
>> issued _FOR_ the princ with it set, so b at BLAH.COM above, which I don't
>> want to disable, since it's a service others will be using. I just want
>> a at BLAH.COM to stop working.
>>
>> As a bonus, I'd like services to be able to check if a at BLAH.COM has an
>> enabled account, and -allow_tix seems to work for that, since if the
>> service tries to get a ticket for a at BLAH.COM it fails.
>>
>> What am I missing?
>>
>> Thanks,
>> Chris
>>
>>



More information about the Kerberos mailing list