kdc listening on too many interfaces
Ken Raeburn
raeburn at MIT.EDU
Sun Jun 7 15:41:02 EDT 2009
On Jun 7, 2009, at 07:48, Steve Devine wrote:
> Everything works fine and in theory I see no harm but still it seems
> wrong.
> It seems like I ought to be able to disable listening on the backnet
> interface.
> Is this so or no?
At present there is no way to control which IP addresses the KDC
process listens on. (The message from Bjørn Tore Sun outlines how to
select the port numbers and whether the KDC listens for TCP
connections, but not a change in IP addresses.) It's assumed for now
that all IP addresses may be advertised in DNS as belonging to the KDC
(yes, we know it's not necessarily true), so we should listen just in
case. The ability to listen on just some addresses has been
requested, but so far hasn't made it far up the priority list, since
it's generally harmless as you say, unless there's some reason you
need the KDC to *not* listen on certain IP addresses.
--
Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium
More information about the Kerberos
mailing list