How does enabling any other security protocol affects Kerberos
Chaskiel M Grundman
cg2v at andrew.cmu.edu
Mon Nov 21 12:09:45 EST 2005
--On Monday, November 21, 2005 05:07:49 AM -0800 sandypossible at gmail.com
wrote:
> Hi all,
>
> I am wondering if enabling any other security protocol say such as SSL,
> IPsec or Cipe affects Kerberos functionality?
I'm going to assume that by 'SSL' you mean 'SSL VPN'. (SSL use in
application protocols like http and imap does not affect kerberos
functionality)
activating a VPN tunnel, whether it is based on SSL, IPsec, or CIPE, causes
the IP address of packets you originate to change. If your kerberos tickets
have embedded ip addresses, this may cause them to be unusable if they are
acquired before the tunnel is activated and used after (or vice versa). if
you kinit after the tunnel is activated, this will not be a problem.
You can also set
no-addresses = true
in the [libdefalts] section of your krb5.conf to prevent kinit from
requesting a TGT with embedded addresses.
More information about the Kerberos
mailing list