MIT KDC only listening on lo

Ken Raeburn raeburn at MIT.EDU
Wed Sep 22 19:43:23 EDT 2004

On Sep 22, 2004, at 18:50, Fredrik Tolf wrote:
> On Wed, 2004-09-22 at 22:37 +0000, Sam Hartman wrote:
>>>>>>> "Fredrik" == Fredrik Tolf <fredrik at> writes:
>>     Fredrik> Does anyone know if the KDC is configurable to just
>>     Fredrik> listen to, or will I have to take the time to
>>     Fredrik> patch it?
>> You'll have to patch.

Shouldn't be hard.  I think you need to dig up the code in the krb5 
library (or include directory, or a copy in the KDC code? I forget 
where 1.3 had it) that looks for IFF_LOOPBACK and disable it.

Listening on for UDP traffic may not work for hosts with 
multiple addresses, since the client code may be checking that it got 
its response back from the same address to which it sent the query.  
For TCP connections, I think we already ought to be accepting 
connections from anywhere, though that may not be enough for the KDC to 
want to start if there aren't non-loopback addresses to use for UDP.

>> This comes up often enough that I'm thinking we should reconsider our
>> decision not to listen on localhost.
> Would you mind me asking why you made that decision in the first place?
> I can see no obvious reason for it.

I think it probably made more sense when tickets included addresses by 
default; the loopback address would not be listed (and the spec said 
not to), so sending to and from the loopback address would cause a 
mismatch of addresses, credentials would be rejected, etc.


More information about the Kerberos mailing list