MIT KDC only listening on lo

Sam Hartman hartmans at MIT.EDU
Thu Sep 23 13:49:06 EDT 2004

>>>>> "Fredrik" == Fredrik Tolf <fredrik at> writes:

    >> This comes up often enough that I'm thinking we should
    >> reconsider our decision not to listen on localhost.

    Fredrik> Would you mind me asking why you made that decision in
    Fredrik> the first place?  I can see no obvious reason for it.

If you are using IP addresses in your tickets, you want to make sure
that you never talk to the KDC on localhost.  Also, you want to make
sure you never include localhost in the set of addresses in your
ticket.  I think we use the same API to find local addresses to
include in tickets as we do to find local interfaces.


More information about the Kerberos mailing list