Kerberos 5 and NAT

Sam Hartman hartmans at MIT.EDU
Wed Jun 19 17:41:18 EDT 2002

>>>>> "Douglas" == Douglas E Engert <deengert at> writes:

    Douglas> Steven McElwee wrote:
    >>  Hi, We are running a firewall that is using one set of ip
    >> addresses for our system internally and another set is
    >> presented externally, i.e., NAT. How can we teach a given
    >> system to incoporate its external ip address (note- not that
    >> assigned to its ethernet interface) in its kerberos TGT ticket
    >> file? What are our options and what are the strengths and
    >> weaknesses.

    Douglas> One way is to not use addresses at all. See the kinit -A

Note that not using addresses seems to be the recommended direction
within the Kerberos working group.  At least there was significant
consensus that we wanted to move away from addresses at a meeting we
had last February.

More information about the Kerberos mailing list