Limit kinit by client address?
Wang Jian
larkwang at gmail.com
Wed Apr 19 08:10:30 EDT 2017
I used to think that I can limit kinit by client address for certain
principal, using a preauth plugin. The plugin can check the client
address against one of principal's string attribute, such as
"allowfrom", preventing keytab theft in an automation environment.
That's just an idea that I didn't implement. I know that kinit can
limit TGT's addresses, which can prevent TGT theft to some extent.
Now, we do have such demand. But when I start to implement it, I find
that in no way client address can be retrieved from context paramters
in plugin.
Is the idea realizable? Am I missing something or my assumption basically wrong?
Regards,
Wang Jian
More information about the Kerberos
mailing list