how to "ban" clients?
Chris Hecker
checker at d6.com
Mon Jul 25 15:37:10 EDT 2011
> We could add a configuration knob, but I'm still trying to justify
> the increased complexity to myself. Preventing a disabled account
> from making new TGS requests with a valid TGT seems like closing the
> barn door after the horse has escaped, as you have no control over
> the service tickets the client already obtained before it was
> disabled.
A better analogy: the current thing is like you identified the horse
thief at noon, but you decided to leave the barn open and unlocked until
sunset, even though he's sitting outside idling in a truck that already
has a couple of your horses in it, but has room for more.
I just want to lock the barn now, and I'm willing to walk out there to
do that.
Or something like that. :) Uh, that last sentence was to address the
performance implications. I need to figure out the metaphorical
expression of the profile bool. Maybe you ask the wife if it's okay to
stop doing dishes and walk out and lock the barn... Then, clearly, the
metaphor is lacking the cross-realm issue...maybe there's a dude taking
your horses but he was referred to you by your friend from the farm down
the road, and you keep trusting him based on that recommendation until
sunset when you have drinks at the bar with your friend.
Okay, stopping now,
Chris
On 2011/07/25 08:37, Greg Hudson wrote:
> On Sun, 2011-07-24 at 17:30 -0400, Nico Williams wrote:
>> For performance reasons? It's like this forever, so there may not be
>> a performance reason anymore. IMO this should be fixed.
>
> I think performance is still an issue. We definitely still get feedback
> about the number of LDAP queries per KDC operation, and TGS requests are
> more frequent than AS requests. (At least, they should be. It depends
> on how often the KDC is used purely as a password verifier.)
>
> We could add a configuration knob, but I'm still trying to justify the
> increased complexity to myself. Preventing a disabled account from
> making new TGS requests with a valid TGT seems like closing the barn
> door after the horse has escaped, as you have no control over the
> service tickets the client already obtained before it was disabled.
>
>
>
More information about the Kerberos
mailing list