Ticket forwarding and IP addresses

Wyllys Ingersoll wyllys.ingersoll at sun.com
Fri Feb 8 14:10:01 EST 2002


I think I raised this same issue back in November (11-19-01 is
the last email on it that I have saved).  Anyway, below
was my suggestion, but I never followed up on it at the time.
It seems similar to what Nico just suggested.


---
 > Douglas E. Engert wrote:

 > >>>>
 >>>Should the last line be only:
 >>>
 >>> FWD_TGT.addresses = Remote Host addr.
 >>>
 >>>as the forwarded TGT should only be usable from the remote host.
 >>>
 >>>
 >>I was thinking that if someone explicitly put in a list of addresses
 >>in their TGT (not sure if anyone would actually do that), then that
 >>list would probably want to be maintained after forwarding.
 >>
 > > > I would say no. The intent of the addresses was to limit the
 > usefullness of a ticket to a specific machine i.e. detect if it had
 > been stolen. So when you get a new forwardable TGT it should be
 > useable only from the machine to which it is to be forwarded.


Well, that makes the fix easier.  But, do you agree that the forwarded
ticket should be addressless if the original ticket was addressless
also?

The fix I have in mind is this (in fwd_tgt.c):

     if TGT.addresses == <empty list>
	FWD_TGT.addresses = <empty list>
     else
         FWD_TGT.addresses = rhost address.


-Wyllys


Douglas E. Engert wrote:

> Since the kinit has a -A noaddresses option, can this be 
> caried forward to forwardable tickets? i.e. if the TGT used
> to get a forwardable ticket does not have addresses, don't
> request addresses in a forwardable ticket. 
> 
> This looks like an easy change to krb5_fwd_tgt_creds. 
> Has anyone done this?
> 
> 
> 
> Cesar Garcia wrote:
> 
>>I've been working with 1.2.2 for a some months now, and only
>>recently have attempted to get the rcmds working, mainly in
>>an effort to better understand how ticket forwarding works,
>>since we have a need to do this in a homegrown application.
>>
>>The behavior that I see is that when I invoke ticket
>>forwarding, the "forwarded" tickets contain only a single
>>IP address.
>>
>>After walking through some of the code, it appears that
>>the client, via krb5_fwd_tgt_creds, determines the target's
>>IP address via a host lookup using gethostbyname(), as
>>implemented in krb5_os_hostaddr().
>>
>>Since we use NIS as the primary source for hostname
>>resolution, all host lookups render a single IP address,
>>even for multihomed machines. Moving to DNS is not an
>>option at the moment. Additionally, we use Veritas VCS
>>and other similar clustering facilities. These hosts
>>will have additional IP addresses that are not associated
>>with the real hostname, but with service names for a
>>particular cluster/application. So even if were to switch
>>to DNS, the client would not be able to determine all the
>>IP addresses for a given target host via the hostname
>>lookup that it uses today.
>>
>>That said (barring hacks to application protocols that
>>would allow target hosts to send IP addresses back to
>>the source host, then having the client embed the full set
>>of tickets), the way to address this would be to have
>>the target host obtain new tickets will a full set of
>>IP addresses.
>>
>>1 - is this possible?
>>2 - is it within the limits of the specification?
>>
>>If so, has anyone has implemented this for 1.2.2 or any
>>releases of MIT krb5.
>>_______________________________________________
>>Kerberos mailing list
>>Kerberos at mit.edu
>>http://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 






More information about the Kerberos mailing list