Limit kinit by client address?
Greg Hudson
ghudson at mit.edu
Wed Apr 19 14:09:24 EDT 2017
On 04/19/2017 08:10 AM, Wang Jian wrote:
> I used to think that I can limit kinit by client address for certain
> principal, using a preauth plugin. [...]
> Now, we do have such demand. But when I start to implement it, I find
> that in no way client address can be retrieved from context paramters
> in plugin.
I think that's true. We could add a callback to retrieve the client
address. But more importantly, you can't write a kdcpreauth plugin
module so that it gets consulted independently of the client trying to
use a specific preauthentication mechanism over the wire.
We do have a wishlist item of implementing a pluggable KDC policy
interface (independent of the KDB module, which already gets to make
policy decisions). If we did that, and made the client address
available through that interface, a policy plugin module could make this
decision.
More information about the Kerberos
mailing list