how to "ban" clients?

Greg Hudson ghudson at MIT.EDU
Sun Jul 24 17:02:17 EDT 2011


On Sun, 2011-07-24 at 05:00 -0400, Chris Hecker wrote:
> More details from looking at the kdc code...it looks like 
> validate_tgs_request in kdc_util.c only checks the server's attributes 
> for KRB5_KDB_DISALLOW_ALL_TIX, while validate_as_request checks both 
> client and server.  It seems like it'd be easy to add the client check 
> to validate_tgs_request, but I'd also have to get the client db entry in 
> do_tgs_req.

For performance reasons and because of cross-realm authentication, we
don't look up the client principal for TGS requests.  That does mean
it's impossible to deny TGS requests based on updated database state for
the client.

You could modify the KDC code locally to do this if you need it.  I
don't have any other clever ideas for doing what you want.

As for -allow_svr, I think you would want to set that on your user
principals (earlier I suggested -allow_tgs_req, but that's the wrong
flag, since it wouldn't prevent someone from making an AS req to another
user principal and performing an offline dictionary attack).  However, I
think you're right that it would conflict with user-to-user
authentication to that principal.  In 1.7 we changed the error return
for that case to KDC_ERR_MUST_USE_USER2USER, but I haven't been able to
find code that allows user-to-user requests to such principals.






More information about the Kerberos mailing list