On ti, 22 loka 2019, Charles Hedrick wrote:
within a department it’s actually pretty good, as long as you know
the
limitations. I wouldn’t use it as my only security, but it’s a useful
supplement to checking a key table.
You already can write an ebpf filter that would
reject AS-REQ requests
from incorrect locations.
In a quick internal discussion with Simo and Robbie (Kerberos
maintainer) we came to a common conclusion we don't want to have this
supported in MIT Kerberos/FreeIPA.
On Oct 22, 2019, at 9:40 AM, Alexander Bokovoy
<abokovoy@redhat.com<mailto:abokovoy@redhat.com>> wrote:
Since IP addresses are practically spoofable or NATable, they don't make
a good source of policy decision.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland