Request filtering by principal names #54
Comments
|
kdcproxy doesn't currently have this functionality. In theory we could add it - service names are readable from the requests - though it would significantly complicate the decoder. Can you explain your use case a bit more? It's possible there may be another solution. |
|
We have a webservice in our dmz and the service needs access to a internal database. The access to the database is only possible via kerberos. So the server is "forced" to obtain the tgt and the service ticket from the kdc periodicly. We dont want that the service and other machines can request (over firewall) arbitrary tickets from the kdc directly. So the idea is to setup a proxy so tha we can control and restrict the requested tickets by a server/service/host from the dmz to the kdc. |
|
I see, thanks for clarifying. |
frozencemetery
changed the title
|
??? Since your service runs on a machine with a fixed IP address, limit that in your web server hosting the Python app. This is what I do. I really do not see why further coding is necesary here. |
|
I don't understand, how that can mitigate the problem? The client machine in the dmz has a tgt and can request arbitrary service tickets, no matter what ip address is limitied ... |
|
Another use case would be denying external domain administrator authentication via the KDC proxy. |
Hello,
is it possible to inspect the KRB ticket request and allow only configured ticket request? E.g.
Thanks in advance
The text was updated successfully, but these errors were encountered: