Why krb5kdc and kadmind sets up ports for listening differently ?
Ken Raeburn
raeburn at MIT.EDU
Tue Feb 19 09:43:52 EST 2008
On Feb 19, 2008, at 02:17, Sachin Punadikar wrote:
> While doing code walkthrough of krb5kdc and kadmind programs,
> I noticed a difference between these two in the way it sets up the
> ports for listening.
> krb5kdc uses ioctl calls to get the interfaces list and then on each
> interface/ip-address its sets up the port for listening.
> While in case of kadmind it uses wildcard to set up the port for
> listening.
>
> Any specific reason for having different approaches while setting
> up ports?
The UDP service offered by the KDC needs to respond from the same IP
address that the client used to reach it. That's not possible with a
wildcard-address listener unless your system has support for
IP_PKTINFO or IPV6_PKTINFO, which is now supported in our code as
well. The TCP listener does use a wildcard address.
In kadmind, we're only using TCP, so it can just use the wildcard.
The krb524d server uses a wildcard address for UDP, I believe. I
don't recall if the client code checks the server's address; it may
be a bug to use the wildcard, and we may need to revise the code to
match the KDC's code someday, if anyone cares.
--
Ken Raeburn, Senior Programmer
MIT Kerberos Consortium
More information about the Kerberos
mailing list