MIT KDC only listening on lo
fredrik at dolda2000.com
Wed Sep 22 20:31:37 EDT 2004
On Wed, 2004-09-22 at 20:12 -0400, Ken Raeburn wrote:
> On Sep 22, 2004, at 19:58, Fredrik Tolf wrote:
> >> Shouldn't be hard. I think you need to dig up the code in the krb5
> >> library (or include directory, or a copy in the KDC code? I forget
> >> where 1.3 had it) that looks for IFF_LOOPBACK and disable it.
> > It would be much better if it would listen to 0.0.0.0, since if I leave
> > the network and then come back, I'm not always certain to be given the
> > same IP address by the DHCP server. If I would get a new one, I'd have
> Taking out the IFF_LOOPBACK check just means it should start listening
> on 127.0.0.1, and you could stick "localhost" into your config file.
> If you're using a DHCP-assigned address, you need to update your config
> file to point to the new local name, unless your software is tweaking
> /etc/hosts to map some fixed name to your current address, or you get
> dynamic DNS updates or something.
Precisely - I have DDNS.
> >> Listening on 0.0.0.0 for UDP traffic may not work for hosts with
> >> multiple addresses, since the client code may be checking that it got
> >> its response back from the same address to which it sent the query.
> > I'm sorry, but I'm not seeing the problem. When the reply is sent back,
> > surely the kernel fills in the interface address in the source field of
> > the IP header? Or am I missing something here?
> Yes, it does. However, that interface is chosen by the destination
> address, generally, and not by the address the client used to contact
> you. If the client used address #1 because it was first in the list,
> and the packet came in on interface #1, but based on the client's
> address, the KDC host believes that the faster route to it is through
> interface #2, then the address for interface #2 will be used if you
> don't force it to do otherwise. A similar issue comes up if one
> interface has multiple addresses.
Of course... I was thinking that clients would always send their
requests to the nearest interface, but I realize now that that naturally
isn't always the case.
> > I see... that would be a problem, I guess. I was under the impression
> > that tickets still include the host address by default (isn't that the
> > reason for the "Proxiable" flag?). Is that not true?
> I think we changed the defaults in 1.3; if not, it's changed in 1.4.
> Running "klist -a" would tell you if your tickets have addresses.
Indeed you are right - no addresses in there.
More information about the Kerberos