Ticket forwarding and IP addresses
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Feb 8 11:10:08 EST 2002
>Since we use NIS as the primary source for hostname
>resolution, all host lookups render a single IP address,
>even for multihomed machines. Moving to DNS is not an
>option at the moment.
I have to ask ... you're STILL using NIS for hostname resolution? Ouch.
>That said (barring hacks to application protocols that
>would allow target hosts to send IP addresses back to
>the source host, then having the client embed the full set
>of tickets), the way to address this would be to have
>the target host obtain new tickets will a full set of
>IP addresses.
>
>1 - is this possible?
The trick here is that one of the IP addresses in the target ticket
_must_ be the IP address used to talk to the KDC; otherwise, you're
outta luck.
>2 - is it within the limits of the specification?
Yes.
It occurs to me that you could save yourself some pain and simply get
a completely addressless ticket. There is a school of thought in the
Kerberos world that suggests IP addresses in tickets are not that useful.
--Ken
More information about the Kerberos
mailing list