On Sun, 2011-07-24 at 05:00 -0400, Chris Hecker wrote: > More details from looking at the kdc code...it looks like > validate_tgs_request in kdc_util.c only checks the server's attributes > for KRB5_KDB_DISALLOW_ALL_TIX, while validate_as_request checks both > client and server. It seems like it'd be easy to add the client check > to validate_tgs_request, but I'd also have to get the client db entry in > do_tgs_req.
For performance reasons and because of cross-realm authentication, we don't look up the client principal for TGS requests. That does mean it's impossible to deny TGS requests based on updated database state for the client. You could modify the KDC code locally to do this if you need it. I don't have any other clever ideas for doing what you want. As for -allow_svr, I think you would want to set that on your user principals (earlier I suggested -allow_tgs_req, but that's the wrong flag, since it wouldn't prevent someone from making an AS req to another user principal and performing an offline dictionary attack). However, I think you're right that it would conflict with user-to-user authentication to that principal. In 1.7 we changed the error return for that case to KDC_ERR_MUST_USE_USER2USER, but I haven't been able to find code that allows user-to-user requests to such principals. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos