MIT KDC only listening on lo

Fredrik Tolf fredrik at dolda2000.com
Wed Sep 22 19:57:50 EDT 2004 

On Wed, 2004-09-22 at 19:43 -0400, Ken Raeburn wrote:
> On Sep 22, 2004, at 18:50, Fredrik Tolf wrote:
> > On Wed, 2004-09-22 at 22:37 +0000, Sam Hartman wrote:
> >>>>>>> "Fredrik" == Fredrik Tolf <fredrik at dolda2000.com> writes:
> >>
> >>     Fredrik> Does anyone know if the KDC is configurable to just
> >>     Fredrik> listen to 0.0.0.0, or will I have to take the time to
> >>     Fredrik> patch it?
> >>
> >> You'll have to patch.
> 
> Shouldn't be hard.  I think you need to dig up the code in the krb5 
> library (or include directory, or a copy in the KDC code? I forget 
> where 1.3 had it) that looks for IFF_LOOPBACK and disable it.

It would be much better if it would listen to 0.0.0.0, since if I leave
the network and then come back, I'm not always certain to be given the
same IP address by the DHCP server. If I would get a new one, I'd have
to restart the KDC to listen to it. Not a major deal, mayhap (especially
considering I could restart the KDC from some network script), but
slightly annoying, and pretty ugly.

Do you think that's wrong?

> Listening on 0.0.0.0 for UDP traffic may not work for hosts with 
> multiple addresses, since the client code may be checking that it got 
> its response back from the same address to which it sent the query.  

I'm sorry, but I'm not seeing the problem. When the reply is sent back,
surely the kernel fills in the interface address in the source field of
the IP header? Or am I missing something here?

> >> This comes up often enough that I'm thinking we should reconsider our
> >> decision not to listen on localhost.
> > Would you mind me asking why you made that decision in the first place?
> > I can see no obvious reason for it.
> 
> I think it probably made more sense when tickets included addresses by 
> default; the loopback address would not be listed (and the spec said 
> not to), so sending to and from the loopback address would cause a 
> mismatch of addresses, credentials would be rejected, etc.

I see... that would be a problem, I guess. I was under the impression
that tickets still include the host address by default (isn't that the
reason for the "Proxiable" flag?). Is that not true?

Many thanks for your reply.

Fredrik Tolf

More information about the Kerberos mailing list