Limit kinit by client address?

Wang Jian larkwang at
Thu Apr 20 07:01:35 EDT 2017

2017-04-20 2:09 GMT+08:00 Greg Hudson <ghudson at>:
> On 04/19/2017 08:10 AM, Wang Jian wrote:
>> I used to think that I can limit kinit by client address for certain
>> principal, using a preauth plugin. [...]
>> Now, we do have such demand. But when I start to implement it, I find
>> that in no way client address can be retrieved from context paramters
>> in plugin.
> I think that's true.  We could add a callback to retrieve the client
> address.  But more importantly, you can't write a kdcpreauth plugin
> module so that it gets consulted independently of the client trying to
> use a specific preauthentication mechanism over the wire.

No catch all? For example

static krb5_preauthtype nacl_pa_types[] = { KRB5_PADATA_AP_REQ, 0 };

Of course, semantically, preauth isn't the best hook point.

> We do have a wishlist item of implementing a pluggable KDC policy
> interface (independent of the KDB module, which already gets to make
> policy decisions).  If we did that, and made the client address
> available through that interface, a policy plugin module could make this
> decision.

That's great. The question is, when it will be implemented?

More information about the Kerberos mailing list