On Tue, Oct 11, 2011 at 1:07 PM, Mike Spinzer <mspin...@yahoo.com> wrote: > Thanks a lot for all your answers. Trying to limit the attack on the server > itself seems to me difficult since by definition we consider that the server > is owned by the attacker. > I was wondering if it would not be possible to instead put some restrictions > on the ticket itself. For instance by including the IP address where it's > valid.
IP addresses in tickets don't really buy you anything, as it's may not be difficult to forge a source IP address in your environment. Better to not forward credentials. Credential forwarding is a bad habit. > More generally, is there any way to include some roles into a ticket, for > instance to indicate that it can be used to authenticate locally with ksu but > not to open a remote SSH to another server? The only currently available constrained ticket facility that we have is S4U2Proxy, really. I'd be interested in a "GSS agent" extension to the ssh-agent, so that all server-side uses of the GSS initiator credential are proxied back to the client. But you can't expect the user to approve of every use... at best the user could have some rules to apply to credential uses. In any case, in your use case the solution is to have all connections emanate from the same client, as opposed to chaining across one or more servers. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos