Ticket forwarding and IP addresses

Cesar Garcia Cesar.Garcia at morganstanley.com
Fri Feb 8 10:33:12 EST 2002


I've been working with 1.2.2 for a some months now, and only
recently have attempted to get the rcmds working, mainly in
an effort to better understand how ticket forwarding works,
since we have a need to do this in a homegrown application.

The behavior that I see is that when I invoke ticket
forwarding, the "forwarded" tickets contain only a single
IP address.

After walking through some of the code, it appears that
the client, via krb5_fwd_tgt_creds, determines the target's
IP address via a host lookup using gethostbyname(), as
implemented in krb5_os_hostaddr().

Since we use NIS as the primary source for hostname
resolution, all host lookups render a single IP address,
even for multihomed machines. Moving to DNS is not an
option at the moment. Additionally, we use Veritas VCS
and other similar clustering facilities. These hosts
will have additional IP addresses that are not associated
with the real hostname, but with service names for a
particular cluster/application. So even if were to switch
to DNS, the client would not be able to determine all the
IP addresses for a given target host via the hostname
lookup that it uses today.

That said (barring hacks to application protocols that
would allow target hosts to send IP addresses back to
the source host, then having the client embed the full set
of tickets), the way to address this would be to have
the target host obtain new tickets will a full set of
IP addresses.

1 - is this possible?
2 - is it within the limits of the specification?

If so, has anyone has implemented this for 1.2.2 or any
releases of MIT krb5.



More information about the Kerberos mailing list