Request filtering by principal names

Question

Request filtering by principal names

Opened this issue 4 years ago · 6 comments

Hello,
is it possible to inspect the KRB ticket request and allow only configured ticket request? E.g.

TGT and service tickets for only one principal or
only for one service ...

Thanks in advance

Answer 1 · 2020-11-06T18:11:33.000Z

kdcproxy doesn't currently have this functionality. In theory we could add it - service names are readable from the requests - though it would significantly complicate the decoder.

Can you explain your use case a bit more? It's possible there may be another solution.

Answer 2 · 2020-11-09T11:09:57.000Z

We have a webservice in our dmz and the service needs access to a internal database. The access to the database is only possible via kerberos. So the server is "forced" to obtain the tgt and the service ticket from the kdc periodicly. We dont want that the service and other machines can request (over firewall) arbitrary tickets from the kdc directly. So the idea is to setup a proxy so tha we can control and restrict the requested tickets by a server/service/host from the dmz to the kdc.

Answer 3 · 2020-11-11T17:16:21.000Z

I see, thanks for clarifying.

Answer 4 · 2021-01-31T19:01:47.000Z

??? Since your service runs on a machine with a fixed IP address, limit that in your web server hosting the Python app. This is what I do. I really do not see why further coding is necesary here.

Answer 5 · 2021-02-11T16:16:24.000Z

I don't understand, how that can mitigate the problem? The client machine in the dmz has a tgt and can request arbitrary service tickets, no matter what ip address is limitied ...
Do I miss something?

Answer 6 · 2024-03-01T16:41:35.000Z

Another use case would be denying external domain administrator authentication via the KDC proxy.