bind KDC to single interface?
Ken Raeburn
raeburn at MIT.EDU
Tue Feb 23 02:17:17 EST 2010
On Feb 22, 2010, at 18:32, Greg Hudson wrote:
> On Mon, 2010-02-22 at 16:56 -0500, Abe Singer wrote:
>> Am I missing something in the documentation, or is there no way to tell
>> krb5kdc to bind to a single network interface (as oppposed to binding to
>> all of them)?
>
> My reading of the code is that the KDC listener sockets are always bound
> to INADDR_ANY (or the IPv6 equivalent).
Sort of... the KDC needs to be able to return a response from the same (KDC-side) address that the client used, so it either needs something like IP(V6)_PKTINFO support, in which case it can use IN(6)ADDR_ANY, or it needs to bind a socket on each local address. While I've occasionally heard queries about whether it's possible to bind to one address only, and it would probably be good to offer that someday, I've never heard anyone indicate why accepting Kerberos traffic on the other addresses is a problem.... Perhaps if you want to run a KDC for a different realm on a different address on the same machine, but you can serve up multiple realms from one KDC process. Or maybe they're running the KDC on a machine accessible from both internal and external networks, and have a security policy in place that prohibits the latter because of the offline-password-attack risk?
But, short answer, yeah, there's no option for that currently. It's one of a few things I've been thinking about tweaking in the KDC network handling though...
Ken
More information about the Kerberos
mailing list