Right, I will disable the princ when I find out obviously, I just want the person to not be able to use it as a user princ to get tickets to other services in the meantime. Does that make sense or am I missing something?
Chris On Mon, Jan 8, 2018 at 20:28 Russ Allbery <ea...@eyrie.org> wrote: > Chris Hecker <chec...@d6.com> writes: > > > Ah, I assumed that was symmetric for some reason. I obviously need to > > be able to get tickets for these services. Not sure why I thought that. > > I'll check it out, thanks! > > It is symmetric, yeah, so it has the problem that you're assuming it has. > I don't think there's a way to disable exactly the bit that you want. > There's -allow_svr, which prevents issuing service tickets for the > principal, and -allow_tix, which presents issuing any tickets at all, but > I don't think there's a flag to keep from allowing that principal to > authenticate and get a TGT. > > Maybe -pwexpire in the past would do what you want? I'm not sure how that > interacts with service tickets. > > Note, however, that if your keytab is compromised, the attacker can issue > arbitrary service tickets for your service in any identity they chose, so > I'm not sure you would want to leave service tickets enabled in that > situation. > > -- > Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
