Limit kinit by client address?
Wang Jian
larkwang at gmail.com
Thu Apr 20 07:01:35 EDT 2017
2017-04-20 2:09 GMT+08:00 Greg Hudson <ghudson at mit.edu>:
> On 04/19/2017 08:10 AM, Wang Jian wrote:
>> I used to think that I can limit kinit by client address for certain
>> principal, using a preauth plugin. [...]
>
>> Now, we do have such demand. But when I start to implement it, I find
>> that in no way client address can be retrieved from context paramters
>> in plugin.
>
> I think that's true. We could add a callback to retrieve the client
> address. But more importantly, you can't write a kdcpreauth plugin
> module so that it gets consulted independently of the client trying to
> use a specific preauthentication mechanism over the wire.
No catch all? For example
static krb5_preauthtype nacl_pa_types[] = { KRB5_PADATA_AP_REQ, 0 };
Of course, semantically, preauth isn't the best hook point.
> We do have a wishlist item of implementing a pluggable KDC policy
> interface (independent of the KDB module, which already gets to make
> policy decisions). If we did that, and made the client address
> available through that interface, a policy plugin module could make this
> decision.
That's great. The question is, when it will be implemented?
More information about the Kerberos
mailing list