how to "ban" clients?

Chris Hecker checker at d6.com
Mon Jul 25 15:37:10 EDT 2011


> We could add a configuration knob, but I'm still trying to justify
> the increased complexity to myself. Preventing a disabled account
> from making new TGS requests with a valid TGT seems like closing the
> barn door after the horse has escaped, as you have no control over
> the service tickets the client already obtained before it was
> disabled.

A better analogy:  the current thing is like you identified the horse 
thief at noon, but you decided to leave the barn open and unlocked until 
sunset, even though he's sitting outside idling in a truck that already 
has a couple of your horses in it, but has room for more.

I just want to lock the barn now, and I'm willing to walk out there to 
do that.

Or something like that.  :)  Uh, that last sentence was to address the 
performance implications.  I need to figure out the metaphorical 
expression of the profile bool.  Maybe you ask the wife if it's okay to 
stop doing dishes and walk out and lock the barn...  Then, clearly, the 
metaphor is lacking the cross-realm issue...maybe there's a dude taking 
your horses but he was referred to you by your friend from the farm down 
the road, and you keep trusting him based on that recommendation until 
sunset when you have drinks at the bar with your friend.

Okay, stopping now,
Chris



On 2011/07/25 08:37, Greg Hudson wrote:
> On Sun, 2011-07-24 at 17:30 -0400, Nico Williams wrote:
>> For performance reasons?  It's like this forever, so there may not be
>> a performance reason anymore.  IMO this should be fixed.
>
> I think performance is still an issue.  We definitely still get feedback
> about the number of LDAP queries per KDC operation, and TGS requests are
> more frequent than AS requests.  (At least, they should be.  It depends
> on how often the KDC is used purely as a password verifier.)
>
> We could add a configuration knob, but I'm still trying to justify the
> increased complexity to myself.  Preventing a disabled account from
> making new TGS requests with a valid TGT seems like closing the barn
> door after the horse has escaped, as you have no control over the
> service tickets the client already obtained before it was disabled.
>
>
>



More information about the Kerberos mailing list