Re: -allow_tgs_req

2018-01-08 Thread Russ Allbery 
Chris Hecker  writes:

> Right, I will disable the princ when I find out obviously, I just want
> the person to not be able to use it as a user princ to get tickets to
> other services in the meantime.  Does that make sense or am I missing
> something?

It makes sense -- I just don't think it's something that currently exists
in the KDC's permission model, at least so far as I can tell.  Although
it's entirely possible I'm missing something.

-- 
Russ Allbery (ea...@eyrie.org)  

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: -allow_tgs_req

2018-01-08 Thread Chris Hecker 
Hmm, yeah, I can't get tickets to a service with -allow_tix on it.  I'll
have to look into why if that's supposed to work, I made a couple
modifications to my KDC in this area a while back.

Chris


On Mon, Jan 8, 2018 at 20:24 Chris Hecker  wrote:

>
> Ah, I assumed that was symmetric for some reason.  I obviously need to be
> able to get tickets for these services.  Not sure why I thought that.  I'll
> check it out, thanks!
>
> Chris
>
>
> On Mon, Jan 8, 2018 at 20:15 Russ Allbery  wrote:
>
>> Chris Hecker  writes:
>>
>> > Ah.  Is there any way to prevent a service princ from being able to get
>> > tickets?
>>
>> > As in, if one of my service keytabs is compromised, can I prevent those
>> > princs from being used like a normal user princ?
>>
>> I think you want -allow_tix.
>>
>> --
>> Russ Allbery (ea...@eyrie.org)  > >
>>
>

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: -allow_tgs_req

2018-01-08 Thread Chris Hecker 
Right, I will disable the princ when I find out obviously, I just want the
person to not be able to use it as a user princ to get tickets to other
services in the meantime.  Does that make sense or am I missing something?

Chris





On Mon, Jan 8, 2018 at 20:28 Russ Allbery  wrote:

> Chris Hecker  writes:
>
> > Ah, I assumed that was symmetric for some reason.  I obviously need to
> > be able to get tickets for these services.  Not sure why I thought that.
> > I'll check it out, thanks!
>
> It is symmetric, yeah, so it has the problem that you're assuming it has.
> I don't think there's a way to disable exactly the bit that you want.
> There's -allow_svr, which prevents issuing service tickets for the
> principal, and -allow_tix, which presents issuing any tickets at all, but
> I don't think there's a flag to keep from allowing that principal to
> authenticate and get a TGT.
>
> Maybe -pwexpire in the past would do what you want?  I'm not sure how that
> interacts with service tickets.
>
> Note, however, that if your keytab is compromised, the attacker can issue
> arbitrary service tickets for your service in any identity they chose, so
> I'm not sure you would want to leave service tickets enabled in that
> situation.
>
> --
> Russ Allbery (ea...@eyrie.org)  
>

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: -allow_tgs_req

2018-01-08 Thread Russ Allbery 
Chris Hecker  writes:

> Ah, I assumed that was symmetric for some reason.  I obviously need to
> be able to get tickets for these services.  Not sure why I thought that.
> I'll check it out, thanks!

It is symmetric, yeah, so it has the problem that you're assuming it has.
I don't think there's a way to disable exactly the bit that you want.
There's -allow_svr, which prevents issuing service tickets for the
principal, and -allow_tix, which presents issuing any tickets at all, but
I don't think there's a flag to keep from allowing that principal to
authenticate and get a TGT.

Maybe -pwexpire in the past would do what you want?  I'm not sure how that
interacts with service tickets.

Note, however, that if your keytab is compromised, the attacker can issue
arbitrary service tickets for your service in any identity they chose, so
I'm not sure you would want to leave service tickets enabled in that
situation.

-- 
Russ Allbery (ea...@eyrie.org)  

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: -allow_tgs_req

2018-01-08 Thread Chris Hecker 
Ah, I assumed that was symmetric for some reason.  I obviously need to be
able to get tickets for these services.  Not sure why I thought that.  I'll
check it out, thanks!

Chris


On Mon, Jan 8, 2018 at 20:15 Russ Allbery  wrote:

> Chris Hecker  writes:
>
> > Ah.  Is there any way to prevent a service princ from being able to get
> > tickets?
>
> > As in, if one of my service keytabs is compromised, can I prevent those
> > princs from being used like a normal user princ?
>
> I think you want -allow_tix.
>
> --
> Russ Allbery (ea...@eyrie.org)  
>

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: -allow_tgs_req

2018-01-08 Thread Russ Allbery 
Chris Hecker  writes:

> Ah.  Is there any way to prevent a service princ from being able to get
> tickets?

> As in, if one of my service keytabs is compromised, can I prevent those
> princs from being used like a normal user princ?

I think you want -allow_tix.

-- 
Russ Allbery (ea...@eyrie.org)  

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: -allow_tgs_req

2018-01-08 Thread Chris Hecker 
Ah.  Is there any way to prevent a service princ from being able to get
tickets?

As in, if one of my service keytabs is compromised, can I prevent those
princs from being used like a normal user princ?

Chris


On Mon, Jan 8, 2018 at 19:58 Russ Allbery  wrote:

> Chris Hecker  writes:
>
> > If -allow_tgs_req / DISALLOW_TGT_BASED is set on a service princ then I
> > shouldn't be able to kinit with it, right?  I'm able to get TGTs though
> > with kinit and the keytab for this service, and then get service tickets
> > with kvno; I need to update my KDC and see if this is still true, or
> > mabye I'm misunderstanding how it works...?
>
> That prevents other principals from getting service tickets for that
> principal using a TGT.  It's intended for principals like kadmin/changepw
> that want to force an AS-REQ to get a service ticket for that principal.
>
> It doesn't have any effect on authenticating as that principal.
>
> --
> Russ Allbery (ea...@eyrie.org)  
>

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: -allow_tgs_req

2018-01-08 Thread Russ Allbery 
Chris Hecker  writes:

> If -allow_tgs_req / DISALLOW_TGT_BASED is set on a service princ then I
> shouldn't be able to kinit with it, right?  I'm able to get TGTs though
> with kinit and the keytab for this service, and then get service tickets
> with kvno; I need to update my KDC and see if this is still true, or
> mabye I'm misunderstanding how it works...?

That prevents other principals from getting service tickets for that
principal using a TGT.  It's intended for principals like kadmin/changepw
that want to force an AS-REQ to get a service ticket for that principal.

It doesn't have any effect on authenticating as that principal.

-- 
Russ Allbery (ea...@eyrie.org)  


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

-allow_tgs_req

2018-01-08 Thread Chris Hecker 

If -allow_tgs_req / DISALLOW_TGT_BASED is set on a service princ then I 
shouldn't be able to kinit with it, right?  I'm able to get TGTs though 
with kinit and the keytab for this service, and then get service tickets 
with kvno; I need to update my KDC and see if this is still true, or 
mabye I'm misunderstanding how it works...?

Thanks,
Chris




Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: krb5_verify_user

2018-01-08 Thread Benjamin Kaduk 
On Mon, Jan 08, 2018 at 09:49:06PM +, Imanuel Greenfeld wrote:
> Hello,
> 
>  
> 
> Hope you're well.
> 
>  
> 
> Happy new year.
> 
>  
> 
> I am looking for krb5_verify_user function under krb5/krb5.h and in fact
> anywhere but cannot find it.
> 
>  
> 
> I know it's not recommended to use it with the password, but I want to see
> if I can prove the point.
> 
>  
> 
> I am therefore getting compilation error for the function needing a
> prototype.
> 
>  
> 
> I'm using 1.16 and also tried on 1.15.2
> 
>  
> 
> Any ideas please ?

krb5_verify_user() is a function in the Heimdal implementation of
Kerberos, but is not present in MIT krb5.

Upon cursory examination, it seems that
krb5_get_init_creds_password() and krb5_verify_init_creds() together
might be a suitable replacement.  Note that it requires the caller
to have access to a service keytab (and the principal name must be
specified if it is not host/).

-Ben

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

krb5_verify_user

2018-01-08 Thread Imanuel Greenfeld 
Hello,

 

Hope you're well.

 

Happy new year.

 

I am looking for krb5_verify_user function under krb5/krb5.h and in fact
anywhere but cannot find it.

 

I know it's not recommended to use it with the password, but I want to see
if I can prove the point.

 

I am therefore getting compilation error for the function needing a
prototype.

 

I'm using 1.16 and also tried on 1.15.2

 

Any ideas please ?

 

Thanks

 

Imanuel.


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos