Client and server on same machine
Mark Phalan
loop at netsoc.tcd.ie
Wed Nov 26 06:52:19 EST 2003
Thanks for the info about modifying Kerberos to run on localhost. I
found a somewhat simpler solution however which works fine for me. I
simply set up a dummy network device (first compiled it into the
kernel - I think the dummy device has been there for quite a while),
and configured it with an IP address I wanted, changed the hostname to
a hostname reflecting that IP address and used that hostname to set up
my Kerberos server. It works great!
Mark.
greg at wind.enjellic.com (Dr. Greg Wettstein) wrote in message news:<200311251959.hAPJxSY6012547 at wind.enjellic.com>...
> On Nov 23, 1:06pm, Mark Phalan wrote:
> } Subject: Re: Client and server on same machine
>
> > > hartmans at MIT.EDU (Sam Hartman) wrote in message news:<tsln0aofald.fsf at konishi-polis.mit.edu>...
> > > The KDC cannot run on localhost. You can run everything on one
> > > machine, but you need to use a real network interface and make sure
> > > your clients talk to the kdc over that real network interface.
>
> Actually you can run everything, for testing, on localhost but you
> need a source code dive, at least in 1.2.8.
>
> > I do not have (at this time) a network card. Is it possible to
> > create a dummy network interface which is in fact localhost?
>
> I do my development work on 1.2.8 on my laptop using only the
> localhost (127.0.0.1) interface. I don't know how much has changed in
> the 1.3.x code drops but the hack needed to support localhost
> operation is pretty straight forward in 1.2.8.
>
> The file in question is network.c in the kdc sub-directory. The
> clause in question is as follows:
>
> #ifdef IFF_LOOPBACK
> /* None of the current callers want loopback addresses.
> */
> if (ifreq.ifr_flags & IFF_LOOPBACK)
> goto skip;
> #endif
>
>
> If you surround the #ifdef IFF_LOOPBACK with an #ifdef 0/#endif pair to
> disable the check and recompile you will have a KDC which operates on
> the 127.0.0.1 or localhost interface.
>
> IMPORTANT NOTE:
>
> Operating in this mode requires that you really understand how
> Kerberos works, especially with respect to naming services, ie
> DNS and name resolution. Don't look to the list for too much
> help, be prepared to exert some elbow grease and figure out
> issues on your own dime.
>
> This check was also, obviously, put in for a reason. Do not
> use a modified KDC when you are attached to a network or very
> anything that is designed to be remotely secure. This is a
> 'your on your own' hack for testing on a private and isolated
> machine.
>
> Good luck with your work.
>
> }-- End of excerpt from Mark Phalan
>
> As always,
> GW
>
> The Hurderos Project - Open Identity and Authorization Management
> ------------------------------------------------------------------------------
> "The price of reliability is the pursuit of the utmost simplicity."
> -- C.A.R. Hoare
> 1980 ACM Turning Award Lecture
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list