I used to think that I can limit kinit by client address for certain principal, using a preauth plugin. The plugin can check the client address against one of principal's string attribute, such as "allowfrom", preventing keytab theft in an automation environment. That's just an idea that I didn't implement. I know that kinit can limit TGT's addresses, which can prevent TGT theft to some extent.
Now, we do have such demand. But when I start to implement it, I find that in no way client address can be retrieved from context paramters in plugin. Is the idea realizable? Am I missing something or my assumption basically wrong? Regards, Wang Jian ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
