0

Is there a way to force reauthenticate users with a valid kerberos session key?

In my case there are several users who dont authenticate against the KDC but take over existing sessions from other already authenticated users.

The users authenticate against a Firewall to get access to the network. The KDC is a SUSE Enterprise Server. I dont know how the taking over happens exactly as the users are remote users. Afaik they utilize an existing session of another user to access the network withous loging in their own account.

How do I prevent that behaviour?

G4schberle
  • 1
  • 3
  • You should probably clarify your setup, if you want someone to be able to help you. What service is authenticated against, with what clients in what environment. How does this taking over happen? – Gerrit Feb 18 '20 at 12:26
  • @user188737 Thx for pointing that out. I adjustet the OP. – G4schberle Feb 18 '20 at 13:38
  • I presume the clients use a browser? Or are we talking about shared files or another service? How do you know several people don't just sit behind the same computer without logging off? – Gerrit Feb 18 '20 at 13:56
  • @user188737 They use a browser to authenticate at the firewall and then connect to workstations in the protected network via ssh. I dont know how they actually are taking over the session. Maybe it is like you suppose and they just take over a running session of someone else on the computer. Therefor I was thinking about a forced re-authentication. So if they want to go on sharing their accounts that way, they have to know each others credentials. – G4schberle Feb 18 '20 at 14:13
  • If the firewall supports it, you could try setting an connection inactivity timeout, on the assumption that if people share, there will be a little interval between them. Otherwise you would have to forcibly break connections regularly on the firewall, but even then there is no guarantee that credentials have to be entered on the client side. – Gerrit Feb 18 '20 at 16:02
  • @ Gerrit The firewall is a gateprotect GPX 1000. I did not find anything about inactivity timeouts in the firewalls manual. Also: I wonder if the users can continue their work after the forced reconnect without the need to log in? They still have a valid TGT. What about decreasing the renew_lifetime of kerberos tickets to 1 hour, so the users can use another account only for max 1 hour? – G4schberle Feb 20 '20 at 17:44
  • You can't set the renew_lifetime on your end, and if the ticket expires and can't be renewed, the client application will just use the TGT to get a fresh ticket. – Gerrit Feb 20 '20 at 22:59

0 Answers0