Help: noaddresses help

Edgecombe, Jason jwedgeco at uncc.edu
Mon Mar 10 09:07:38 EDT 2008


I part of the network is behind NAT, then using addressless tickets or
cross-realm authentication is the answer.

In the addressless case, your KDC must be seen from inside and outside
the NAT. I think in this case, the kdc must be dual-home on both
networks.

Put the following in the krb5.conf file in all client machines and put
the noaddresses line in the kdc config as well.

[libdefaults]
    forwardable = true
    noaddresses = true

In your case, all machine that people will ssh to  from the gateway must
have host principals installed correctly to enable single sign-on.

If you pursue the cross-realm route, noaddresses may or may not be
necessary, but host principals are still necessary in addition to the
host principals.

Jason

Jason Edgecombe
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
UNC-Charlotte
Phone: (704) 687-3514
 

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of jeetjoshi4u at gmail.com
Sent: Friday, March 07, 2008 6:13 AM
To: kerberos at mit.edu
Subject: Re: Help: noaddresses help

Hello Everyone,

       I am still searching for any solution on the situation
described.

Hoping for any help.

Thank you
Jeet
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list