Ticket forwarding and IP addresses

Douglas E. Engert deengert at anl.gov
Fri Feb 8 12:03:08 EST 2002 

Since the kinit has a -A noaddresses option, can this be 
caried forward to forwardable tickets? i.e. if the TGT used
to get a forwardable ticket does not have addresses, don't
request addresses in a forwardable ticket. 

This looks like an easy change to krb5_fwd_tgt_creds. 
Has anyone done this?



Cesar Garcia wrote:
> 
> I've been working with 1.2.2 for a some months now, and only
> recently have attempted to get the rcmds working, mainly in
> an effort to better understand how ticket forwarding works,
> since we have a need to do this in a homegrown application.
> 
> The behavior that I see is that when I invoke ticket
> forwarding, the "forwarded" tickets contain only a single
> IP address.
> 
> After walking through some of the code, it appears that
> the client, via krb5_fwd_tgt_creds, determines the target's
> IP address via a host lookup using gethostbyname(), as
> implemented in krb5_os_hostaddr().
> 
> Since we use NIS as the primary source for hostname
> resolution, all host lookups render a single IP address,
> even for multihomed machines. Moving to DNS is not an
> option at the moment. Additionally, we use Veritas VCS
> and other similar clustering facilities. These hosts
> will have additional IP addresses that are not associated
> with the real hostname, but with service names for a
> particular cluster/application. So even if were to switch
> to DNS, the client would not be able to determine all the
> IP addresses for a given target host via the hostname
> lookup that it uses today.
> 
> That said (barring hacks to application protocols that
> would allow target hosts to send IP addresses back to
> the source host, then having the client embed the full set
> of tickets), the way to address this would be to have
> the target host obtain new tickets will a full set of
> IP addresses.
> 
> 1 - is this possible?
> 2 - is it within the limits of the specification?
> 
> If so, has anyone has implemented this for 1.2.2 or any
> releases of MIT krb5.
> _______________________________________________
> Kerberos mailing list
> Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list