how to "ban" clients?

Greg Hudson ghudson at MIT.EDU
Mon Jul 25 11:37:22 EDT 2011


On Sun, 2011-07-24 at 17:30 -0400, Nico Williams wrote:
> For performance reasons?  It's like this forever, so there may not be
> a performance reason anymore.  IMO this should be fixed.

I think performance is still an issue.  We definitely still get feedback
about the number of LDAP queries per KDC operation, and TGS requests are
more frequent than AS requests.  (At least, they should be.  It depends
on how often the KDC is used purely as a password verifier.)

We could add a configuration knob, but I'm still trying to justify the
increased complexity to myself.  Preventing a disabled account from
making new TGS requests with a valid TGT seems like closing the barn
door after the horse has escaped, as you have no control over the
service tickets the client already obtained before it was disabled.





More information about the Kerberos mailing list