Extensible kadm5 policies

Roland C. Dowdeswell elric at imrryr.org
Tue Nov 1 14:45:47 EDT 2011

On Tue, Nov 01, 2011 at 10:03:19AM -0700, Russ Allbery wrote:

> I would love to be able to set some principal flags via a policy as well.
> Things like disallow-forwardable and disallow-proxiable, for example, for
> root instance principals.

I agree with this.  Another flag that would be quite nice to put
into policies would be -allow_srv which should be set on all
principals which have passwds to prevent dictionary attacks against
vended service tickets.

    Roland Dowdeswell                      http://Imrryr.ORG/~elric/

More information about the krbdev mailing list