Use case:
When HTTP proxy (being implemented now) for kerberos protocol is enabled (allowing authentication for principals on the Internet and not in the controlled environment) we should have a capability to define a policy that would restrict ability of some principals to kinit and acquire tickets.
How: It looks like we could restrict a given entry's ability to be used as a client or server in a given kdc request with check_policy_as and check_policy_tgs methods that ipakdb could provide, which the kdc already checks if provided by a kdb module
This is something you can do only on the Proxy for AS requests.
The only way for an AS request to determine the 'origin' is by IP address, but in a cloud environment IP addresses are often meningless as the IP is a local '192.168.x.x' type of IP address, which looks indistinguishable from othe NATed IP addresses you can find elswhere in an organization (VPN address for home users, labs, etc...). That is if the Proxy fakes the source address, otherwise all the KDC will see is the proxy's own IP address.
The proxy though may have a better idea of where a connection is coming from and has a better chance of limiting access by simply preventing the communication altogether and by this avoiding any load on the KDC.
For TGS requests I am not sure what is that you are asking ? Just regular access control to prevent some specific services to get a ticket for other specific services ? If so we already have Ticket #433 to cover TGS authorization.
Ah if it isn't clear I suggest to close this ticket, part 1 can't really be done the way it is defined here and should be done in the proxy, part 2 is already scheduled in #433
I agree with part 2. I do not think we should close this ticket. IMO the proxy should be dummy and stateless. The KDC has all the data so it should diced based on the principal. The evaluation of the use cases shows that for 1) we are talking about host principals for systems deployed into the public clouds or BYOD devices. Those systems would be grouped in a specific way so it would be easy to say in a KDC policy: for the BYOD devices or systems in the public cloud that fall into a specific group do not provide TGTs.
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.