ok. So delegation works. Now we come to the question of how to configure it in gssproxy. The man page describes the syntax of the file but not how it actually works. Any suggestions?
> On Oct 22, 2019, at 9:52 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > > On ti, 22 loka 2019, Charles Hedrick wrote: >> within a department it’s actually pretty good, as long as you know the >> limitations. I wouldn’t use it as my only security, but it’s a useful >> supplement to checking a key table. > You already can write an ebpf filter that would reject AS-REQ requests > from incorrect locations. > > In a quick internal discussion with Simo and Robbie (Kerberos > maintainer) we came to a common conclusion we don't want to have this > supported in MIT Kerberos/FreeIPA. > >> >> On Oct 22, 2019, at 9:40 AM, Alexander Bokovoy >> <aboko...@redhat.com<mailto:aboko...@redhat.com>> wrote: >> >> Since IP addresses are practically spoofable or NATable, they don't make >> a good source of policy decision. >> > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
