On 04/19/2017 08:10 AM, Wang Jian wrote: > I used to think that I can limit kinit by client address for certain > principal, using a preauth plugin. [...]
> Now, we do have such demand. But when I start to implement it, I find > that in no way client address can be retrieved from context paramters > in plugin. I think that's true. We could add a callback to retrieve the client address. But more importantly, you can't write a kdcpreauth plugin module so that it gets consulted independently of the client trying to use a specific preauthentication mechanism over the wire. We do have a wishlist item of implementing a pluggable KDC policy interface (independent of the KDB module, which already gets to make policy decisions). If we did that, and made the client address available through that interface, a policy plugin module could make this decision. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
