On 08/02/2018 12:52 AM, Chris Hecker wrote:> I'd like to make a princ that can be used to test whether the kdc is > working for login, but I don't want this princ to be able to get tickets > to any services (except the initial TGT). I can turn off u2u with dup > skey, and I tried setting the -maxlife to 0 but that defaulted to 24 > hours, and even setting -maxlife "1 second" still lets kvno get tickets > for a while (I assume for the clock skew window, though the tickets have > a start time after their expires time, so maybe they're not usable, I > haven't tried using them). Am I missing something obvious?
You could in theory enable anonymous access by creating WELLKNOWN/ANONYMOUS and then set "restrict_anonymous_to_tgt = true" in the realm config, and then test for KDC liveness using anonymous PKINIT. But then you'd have to set up PKINIT, and that seems like a lot for this purpose. Aside from that I don't think there's any built-in functionality for this. In 1.16+ you could write a kdcpolicy module to implement that restriction. You'll also want to prevent AS requests for services other than krbtgt/REALM; in particular you don't want the client to be able to get tickets for kadmin/* or it could change its password. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
