MIT KDC only listening on lo

Fredrik Tolf fredrik at
Wed Sep 22 20:31:37 EDT 2004

On Wed, 2004-09-22 at 20:12 -0400, Ken Raeburn wrote:
> On Sep 22, 2004, at 19:58, Fredrik Tolf wrote:
> >> Shouldn't be hard.  I think you need to dig up the code in the krb5
> >> library (or include directory, or a copy in the KDC code? I forget
> >> where 1.3 had it) that looks for IFF_LOOPBACK and disable it.
> >
> > It would be much better if it would listen to, since if I leave
> > the network and then come back, I'm not always certain to be given the
> > same IP address by the DHCP server. If I would get a new one, I'd have
> Taking out the IFF_LOOPBACK check just means it should start listening 
> on, and you could stick "localhost" into your config file.  
> If you're using a DHCP-assigned address, you need to update your config 
> file to point to the new local name, unless your software is tweaking 
> /etc/hosts to map some fixed name to your current address, or you get 
> dynamic DNS updates or something.

Precisely - I have DDNS.

> >> Listening on for UDP traffic may not work for hosts with
> >> multiple addresses, since the client code may be checking that it got
> >> its response back from the same address to which it sent the query.
> >
> > I'm sorry, but I'm not seeing the problem. When the reply is sent back,
> > surely the kernel fills in the interface address in the source field of
> > the IP header? Or am I missing something here?
> Yes, it does.  However, that interface is chosen by the destination 
> address, generally, and not by the address the client used to contact 
> you.  If the client used address #1 because it was first in the list, 
> and the packet came in on interface #1, but based on the client's 
> address, the KDC host believes that the faster route to it is through 
> interface #2, then the address for interface #2 will be used if you 
> don't force it to do otherwise.  A similar issue comes up if one 
> interface has multiple addresses.

Of course... I was thinking that clients would always send their
requests to the nearest interface, but I realize now that that naturally
isn't always the case.

> > I see... that would be a problem, I guess. I was under the impression
> > that tickets still include the host address by default (isn't that the
> > reason for the "Proxiable" flag?). Is that not true?
> I think we changed the defaults in 1.3; if not, it's changed in 1.4.  
> Running "klist -a" would tell you if your tickets have addresses.

Indeed you are right - no addresses in there.

Fredrik Tolf

More information about the Kerberos mailing list