Kerberos 5 and NAT
steven.mcelwee@duke.edu
steven.mcelwee at duke.edu
Thu Jun 20 15:33:51 EDT 2002
On Wed, 19 Jun 2002 21:42:40 +0000 (UTC), hartmans at mit.edu (Sam
Hartman) wrote:
>
>Note that not using addresses seems to be the recommended direction
>within the Kerberos working group. At least there was significant
>consensus that we wanted to move away from addresses at a meeting we
>had last February.
>
>________________________________________________
>Kerberos mailing list Kerberos at mit.edu
>http://mailman.mit.edu/mailman/listinfo/kerberos
>
I have also heard that it is possible to add the option "noaddresses =
true" in the libdefaults section of the %SYSTEMROOT%\krb5.ini file
(I'm referring to NT, NT/2000)-
This seems to work in our environment where our PC clients are running
a krb5 v1.1.1 client. Similarly, our KDCs are running the same version
in a Solaris environment. Are there any security concerns with
bypassing addresses altogether? I expect not, but just want to check
with the experts to be sure.
thanks in advance,
Steven McElwee, Duke University
More information about the Kerberos
mailing list