MIT KDC only listening on lo
Ken Raeburn
raeburn at MIT.EDU
Wed Sep 22 19:43:23 EDT 2004
On Sep 22, 2004, at 18:50, Fredrik Tolf wrote:
> On Wed, 2004-09-22 at 22:37 +0000, Sam Hartman wrote:
>>>>>>> "Fredrik" == Fredrik Tolf <fredrik at dolda2000.com> writes:
>>
>> Fredrik> Does anyone know if the KDC is configurable to just
>> Fredrik> listen to 0.0.0.0, or will I have to take the time to
>> Fredrik> patch it?
>>
>> You'll have to patch.
Shouldn't be hard. I think you need to dig up the code in the krb5
library (or include directory, or a copy in the KDC code? I forget
where 1.3 had it) that looks for IFF_LOOPBACK and disable it.
Listening on 0.0.0.0 for UDP traffic may not work for hosts with
multiple addresses, since the client code may be checking that it got
its response back from the same address to which it sent the query.
For TCP connections, I think we already ought to be accepting
connections from anywhere, though that may not be enough for the KDC to
want to start if there aren't non-loopback addresses to use for UDP.
>> This comes up often enough that I'm thinking we should reconsider our
>> decision not to listen on localhost.
> Would you mind me asking why you made that decision in the first place?
> I can see no obvious reason for it.
I think it probably made more sense when tickets included addresses by
default; the loopback address would not be listed (and the spec said
not to), so sending to and from the loopback address would cause a
mismatch of addresses, credentials would be rejected, etc.
Ken
More information about the Kerberos
mailing list