Why krb5kdc and kadmind sets up ports for listening differently ?

Ken Raeburn raeburn at MIT.EDU
Tue Feb 19 09:43:52 EST 2008


On Feb 19, 2008, at 02:17, Sachin Punadikar wrote:
> While doing code walkthrough of krb5kdc and kadmind programs,
> I noticed a difference between these two in the way it sets up the
> ports for listening.
> krb5kdc uses ioctl calls to get the interfaces list and then on each
> interface/ip-address its sets up the port for listening.
> While in case of kadmind it uses wildcard to set up the port for  
> listening.
>
> Any specific reason for having different approaches while setting  
> up ports?

The UDP service offered by the KDC needs to respond from the same IP  
address that the client used to reach it.  That's not possible with a  
wildcard-address listener unless your system has support for  
IP_PKTINFO or IPV6_PKTINFO, which is now supported in our code as  
well.  The TCP listener does use a wildcard address.

In kadmind, we're only using TCP, so it can just use the wildcard.

The krb524d server uses a wildcard address for UDP, I believe.  I  
don't recall if the client code checks the server's address; it may  
be a bug to use the wildcard, and we may need to revise the code to  
match the KDC's code someday, if anyone cares.

-- 
Ken Raeburn, Senior Programmer
MIT Kerberos Consortium




More information about the Kerberos mailing list