Any set of flags on a princ to allow an AS but no TGS request?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Any set of flags on a princ to allow an AS but no TGS request?

Chris Hecker

I'd like to make a princ that can be used to test whether the kdc is
working for login, but I don't want this princ to be able to get tickets
to any services (except the initial TGT).  I can turn off u2u with dup
skey, and I tried setting the -maxlife to 0 but that defaulted to 24
hours, and even setting -maxlife "1 second" still lets kvno get tickets
for a while (I assume for the clock skew window, though the tickets have
a start time after their expires time, so maybe they're not usable, I
haven't tried using them).  Am I missing something obvious?

Chris
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Any set of flags on a princ to allow an AS but no TGS request?

Greg Hudson
On 08/02/2018 12:52 AM, Chris Hecker wrote:> I'd like to make a princ
that can be used to test whether the kdc is
> working for login, but I don't want this princ to be able to get tickets
> to any services (except the initial TGT).  I can turn off u2u with dup
> skey, and I tried setting the -maxlife to 0 but that defaulted to 24
> hours, and even setting -maxlife "1 second" still lets kvno get tickets
> for a while (I assume for the clock skew window, though the tickets have
> a start time after their expires time, so maybe they're not usable, I
> haven't tried using them).  Am I missing something obvious?

You could in theory enable anonymous access by creating
WELLKNOWN/ANONYMOUS and then set "restrict_anonymous_to_tgt = true" in
the realm config, and then test for KDC liveness using anonymous PKINIT.
  But then you'd have to set up PKINIT, and that seems like a lot for
this purpose.

Aside from that I don't think there's any built-in functionality for
this.  In 1.16+ you could write a kdcpolicy module to implement that
restriction.

You'll also want to prevent AS requests for services other than
krbtgt/REALM; in particular you don't want the client to be able to get
tickets for kadmin/* or it could change its password.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos