krb5-kdc/1093: request for multi-homed control feature
bmargulies@yahoo.com
bmargulies at yahoo.com
Sun Apr 21 21:50:56 EDT 2002
>Number: 1093
>Category: krb5-kdc
>Synopsis: KDC could use feature to limit listening interfaces
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Sun Apr 21 21:52:00 EDT 2002
>Last-Modified:
>Originator: benson
>Organization:
Myself.
>Release: krb5-1.2.4
>Environment:
Linux RedHat 7.2.
System: Linux bldell.bltest.cc 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown
Architecture: i686
>Description:
The KDC listens on all available local interfaces.
1) It would be handy to be able to limit the addresses that the KDC
listens on.
2) Microsoft KB entry Q266095 documents a problem with the w2k
kerberos client. If the KDC has two physical interfaces, somehow the
IP address of one interface can end up in the KRB_AS_REP going out
over the other replying. This causes Windows 2000 to fail to log in.
>How-To-Repeat:
Set up a KDC with two interfaces, and watch the packets
(KRB_AS_REQ/KRB_AS_REP) in flight.
>Fix:
There are two possible approaches here. First, if the kdc.conf had an
'interfaces' configuration stanza, then instead of foreach_localhost
the kdc could limit itself to the specified interfaces.
Even without that, however, it would be a good thing if the KDC kept
the addresses straight. Just because the KDC is on two networks does
not mean that the clients on each can route to the other.
>Audit-Trail:
>Unformatted:
More information about the krb5-bugs
mailing list