Request for help: How do I get tickets to these workstations?

[Russ Allbery]

Oliver Loch <o.loch at gmx.net> writes:

> But you could also put a "KDC-Slave" server to the public that can only
> hand out tickets and is only able to serve the things you send to it via
> kprop.

Unfortunately, you probably have to send the krbtgt key to have the slave
be useful for default clients, at which point I think you may as well send
everything.

If you wanted to get really fancy, I suppose you could put together a
restricted kprop that re-encrypted the keys in a separate master key and
only sent a selected portion of the database, and then require external
users to get tickets specifically for the host/* service for your bastion
host rather than TGTs so that you didn't have to propagate the krbtgt key.
I don't know if anyone has ever done something like that.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>