-allow_tgs_req
Russ Allbery
eagle at eyrie.org
Mon Jan 8 23:28:16 EST 2018
Chris Hecker <checker at d6.com> writes:
> Ah, I assumed that was symmetric for some reason. I obviously need to
> be able to get tickets for these services. Not sure why I thought that.
> I'll check it out, thanks!
It is symmetric, yeah, so it has the problem that you're assuming it has.
I don't think there's a way to disable exactly the bit that you want.
There's -allow_svr, which prevents issuing service tickets for the
principal, and -allow_tix, which presents issuing any tickets at all, but
I don't think there's a flag to keep from allowing that principal to
authenticate and get a TGT.
Maybe -pwexpire in the past would do what you want? I'm not sure how that
interacts with service tickets.
Note, however, that if your keytab is compromised, the attacker can issue
arbitrary service tickets for your service in any identity they chose, so
I'm not sure you would want to leave service tickets enabled in that
situation.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list