directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrique Rodriguez <erodrig...@apache.org>
Subject Re: I'd like to start helping out here
Date Tue, 23 Nov 2004 20:59:12 GMT
Berin Loritsch wrote:
> The immediate need that I would have for this system is to deny access 
> or allow access from specific addresses.

Great idea.  I would like to request that ProtocolProviders have a way 
to notify the SEDA frontend that a Client is problematic.  There are at 
least two scenarios in the Kerberos and Changepw protocols where the 
Kerberos services may detect this.

1)  Replay attacks, where the Authenticator is compared against a replay 
cache.

2)  ClientAddresses, where Kerberos credentials are issued for use from 
specific IP address(es).

Detection of both of these scenarios should be encapsulated in the 
Kerberos ProtocolProvider, but with denial performed as close to the 
wire as possible.

Additionally, Kerberos admins should be able to clear denied Clients via 
management interface, so there should be a way to notify of a cleared 
address, too.  This usually happens due to misconfigured clients.

-enrique


Mime
View raw message