Limit kinit by client address?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Limit kinit by client address?

Wang Jian
I used to think that I can limit kinit by client address for certain
principal, using a preauth plugin. The plugin can check the client
address against one of principal's string attribute, such as
"allowfrom", preventing keytab theft in an automation environment.
That's just an idea that I didn't implement.  I know that kinit can
limit TGT's addresses, which can prevent TGT theft to some extent.

Now, we do have such demand. But when I start to implement it, I find
that in no way client address can be retrieved from context paramters
in plugin.

Is the idea realizable? Am I missing something or my assumption basically wrong?


Regards,

Wang Jian
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Limit kinit by client address?

Greg Hudson
On 04/19/2017 08:10 AM, Wang Jian wrote:
> I used to think that I can limit kinit by client address for certain
> principal, using a preauth plugin. [...]

> Now, we do have such demand. But when I start to implement it, I find
> that in no way client address can be retrieved from context paramters
> in plugin.

I think that's true.  We could add a callback to retrieve the client
address.  But more importantly, you can't write a kdcpreauth plugin
module so that it gets consulted independently of the client trying to
use a specific preauthentication mechanism over the wire.

We do have a wishlist item of implementing a pluggable KDC policy
interface (independent of the KDB module, which already gets to make
policy decisions).  If we did that, and made the client address
available through that interface, a policy plugin module could make this
decision.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Limit kinit by client address?

Wang Jian
2017-04-20 2:09 GMT+08:00 Greg Hudson <[hidden email]>:

> On 04/19/2017 08:10 AM, Wang Jian wrote:
>> I used to think that I can limit kinit by client address for certain
>> principal, using a preauth plugin. [...]
>
>> Now, we do have such demand. But when I start to implement it, I find
>> that in no way client address can be retrieved from context paramters
>> in plugin.
>
> I think that's true.  We could add a callback to retrieve the client
> address.  But more importantly, you can't write a kdcpreauth plugin
> module so that it gets consulted independently of the client trying to
> use a specific preauthentication mechanism over the wire.

No catch all? For example

static krb5_preauthtype nacl_pa_types[] = { KRB5_PADATA_AP_REQ, 0 };

Of course, semantically, preauth isn't the best hook point.

> We do have a wishlist item of implementing a pluggable KDC policy
> interface (independent of the KDB module, which already gets to make
> policy decisions).  If we did that, and made the client address
> available through that interface, a policy plugin module could make this
> decision.

That's great. The question is, when it will be implemented?
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos