Limit kinit by client address?

Greg Hudson ghudson at
Wed Apr 19 14:09:24 EDT 2017

On 04/19/2017 08:10 AM, Wang Jian wrote:
> I used to think that I can limit kinit by client address for certain
> principal, using a preauth plugin. [...]

> Now, we do have such demand. But when I start to implement it, I find
> that in no way client address can be retrieved from context paramters
> in plugin.

I think that's true.  We could add a callback to retrieve the client
address.  But more importantly, you can't write a kdcpreauth plugin
module so that it gets consulted independently of the client trying to
use a specific preauthentication mechanism over the wire.

We do have a wishlist item of implementing a pluggable KDC policy
interface (independent of the KDB module, which already gets to make
policy decisions).  If we did that, and made the client address
available through that interface, a policy plugin module could make this

More information about the Kerberos mailing list