Dave Shrimpton <[EMAIL PROTECTED]> writes: > Is there a way of restricting access to MIT K5 kadmind > from kadmin so that principals who are not listed in > kadm5.acl are unable to do a getprinc on themselves or > better still are unable to obtain a kadmin/admin ticket > at all, even if they have successfully authenticated ?
There's no way that kadm5.acl could stop people from getting admin service tickets. kdc hands out tickets, and it doesn't make authorization decisions of the sort you want (and many would argue that this lack of smarts is a "good" thing.) Since kadmind contains the acl logic, it should certainly be theoretically possible to stop "getprinc". Whether this is really what you want is another question. If you're worried about the possibility of bad code paths existing, then this only gives you partial relief; if the attacker can send "bad" packets, there's a 50% chance that there's an exploit that can happen before the server checks credentials, because a lot of the more interesting and ugly low-down processing of user data happens before the credentials check -- and if you're talking acls, there's even more stuff that happens after the credentials check and before the RPC server side procedure proper where the acl logic is invoked. What you might want to do instead is to use firewalls, filtering routers, or kernel firewall rules to discard packets *before* they get to kadmind. You'll only be able to filter based on IP address, but depending on your setup this may be acceptable. To be truely effective, you'd also need routers elsewhere that prevent people from forging your trusted IP addresses. -Marcus Watts UM ITCS Umich Systems Group ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos