Client and server on same machine

Mark Phalan loop at netsoc.tcd.ie
Wed Nov 26 06:52:19 EST 2003


Thanks for the info about modifying Kerberos to run on localhost. I
found a somewhat simpler solution however which works fine for me. I
simply set up a dummy network device (first compiled it into the
kernel - I think the dummy device has been there for quite a while),
and configured it with an IP address I wanted, changed the hostname to
a hostname reflecting that IP address and used that hostname to set up
my Kerberos server. It works great!

Mark.

greg at wind.enjellic.com (Dr. Greg Wettstein) wrote in message news:<200311251959.hAPJxSY6012547 at wind.enjellic.com>...
> On Nov 23,  1:06pm, Mark Phalan wrote:
> } Subject: Re: Client and server on same machine
>  
> > > hartmans at MIT.EDU (Sam Hartman) wrote in message news:<tsln0aofald.fsf at konishi-polis.mit.edu>...
> > > The KDC cannot run on localhost.  You can run everything on one
> > > machine, but you need to use a real network interface and make sure
> > > your clients talk to the kdc over that real network interface.
> 
> Actually you can run everything, for testing, on localhost but you
> need a source code dive, at least in 1.2.8.
> 
> > I do not have (at this time) a network card. Is it possible to
> > create a dummy network interface which is in fact localhost?
> 
> I do my development work on 1.2.8 on my laptop using only the
> localhost (127.0.0.1) interface.  I don't know how much has changed in
> the 1.3.x code drops but the hack needed to support localhost
> operation is pretty straight forward in 1.2.8.
> 
> The file in question is network.c in the kdc sub-directory.  The
> clause in question is as follows:
> 
> #ifdef IFF_LOOPBACK
>             /* None of the current callers want loopback addresses.
> */
>         if (ifreq.ifr_flags & IFF_LOOPBACK)
>             goto skip;
> #endif
> 
> 
> If you surround the #ifdef IFF_LOOPBACK with an #ifdef 0/#endif pair to
> disable the check and recompile you will have a KDC which operates on
> the 127.0.0.1 or localhost interface.
> 
> IMPORTANT NOTE:
> 
> 	Operating in this mode requires that you really understand how
> 	Kerberos works, especially with respect to naming services, ie
> 	DNS and name resolution.  Don't look to the list for too much
> 	help, be prepared to exert some elbow grease and figure out
> 	issues on your own dime.
> 
> 	This check was also, obviously, put in for a reason.  Do not
> 	use a modified KDC when you are attached to a network or very
> 	anything that is designed to be remotely secure.  This is a
> 	'your on your own' hack for testing on a private and isolated
> 	machine.
> 
> Good luck with your work.
> 
> }-- End of excerpt from Mark Phalan
> 
> As always,
> GW
> 
> The Hurderos Project - Open Identity and Authorization Management
> ------------------------------------------------------------------------------
> "The price of reliability is the pursuit of the utmost simplicity."
>                                 -- C.A.R. Hoare
>                                    1980 ACM Turning Award Lecture
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


More information about the Kerberos mailing list