You can only use the host key table from a host with the same IP address. The
server verifies that the IP address corresponds to the hostname. In theory
someone could bring a laptop and plug it in in place of the original host with
the same IP address, but that wouldn’t let them compromise anyth
Jim Shi writes:
> Hi, I have question regarding client IP address checking in KDC. Is
> that true that by default tickets issued by KDC is not bound to any
> client IP address. Also KDC server does not check IP if the ticket does
> not have any client IP address in it.
> Do we have to expli
Russ Allbery writes:
> Charles Hedrick writes:
>> * A kerberized service where the user registers that they want to be
>> able to do cron jobs on a given machine.
>> * A kerberized pam module that calls the same service and gets back
>> credentials, locked to the IP address, and at least by defa
Charles Hedrick writes:
> * A kerberized service where the user registers that they want to be
> able to do cron jobs on a given machine.
> * A kerberized pam module that calls the same service and gets back
> credentials, locked to the IP address, and at least by default not
> forwardable.
How
Hi, I have question regarding client IP address checking in KDC.
Is that true that by default tickets issued by KDC is not bound to any client
IP address.
Also KDC server does not check IP if the ticket does not have any client IP
address in it.
Do we have to explicitly turn on the client IP
My approach is simpler:
* A kerberized service where the user registers that they want to be able to do
cron jobs on a given machine.
* A kerberized pam module that calls the same service and gets back
credentials, locked to the IP address, and at least by default not forwardable.
The pam modu
Charles Hedrick writes:
> The argument makes sense.
> However I am disturbed by the fact that a keytab can be used
> anywhere. If someone manages to become root on one machine, I’d like
> them not to be able to do things on other machines. I’m in an
> environment where we have systems administer
On 7/21/2017 11:13 AM, Charles Hedrick wrote:
> The argument makes sense.
>
> However I am disturbed by the fact that a keytab can be used anywhere. If
> someone manages to become root on one machine, I’d like them not to be able
> to do things on other machines. I’m in an environment where we h
The argument makes sense.
However I am disturbed by the fact that a keytab can be used anywhere. If
someone manages to become root on one machine, I’d like them not to be able to
do things on other machines. I’m in an environment where we have systems
administered by users, and unattended publi