Chris Hecker <chec...@d6.com> writes: > Ah, I assumed that was symmetric for some reason. I obviously need to > be able to get tickets for these services. Not sure why I thought that. > I'll check it out, thanks!
It is symmetric, yeah, so it has the problem that you're assuming it has. I don't think there's a way to disable exactly the bit that you want. There's -allow_svr, which prevents issuing service tickets for the principal, and -allow_tix, which presents issuing any tickets at all, but I don't think there's a flag to keep from allowing that principal to authenticate and get a TGT. Maybe -pwexpire in the past would do what you want? I'm not sure how that interacts with service tickets. Note, however, that if your keytab is compromised, the attacker can issue arbitrary service tickets for your service in any identity they chose, so I'm not sure you would want to leave service tickets enabled in that situation. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
