client IP address in Kerberos ticket.

Russ Allbery eagle at
Fri Jul 21 17:53:24 EDT 2017

Jim Shi <hjshi at> writes:

> Hi, I have question regarding client IP address checking in KDC.  Is
> that true that by default  tickets  issued by KDC is not bound to any
> client IP address.  Also KDC server does not check IP if the ticket does
> not have  any client IP address in it.

> Do we have to explicitly  turn on the client IP address checking on KDC?
> How to do it?  Thank you very much.

I am dubious that IP address checking is a meaningful security measure.
My recommendation would be to forget that it exists and not rely on it for
your security model.

You're correct that the default value of the noaddresses configuration
option is true, largely because address-locked tickets tend to cause tons
of problems in modern network environments that often involve NAT.

Russ Allbery (eagle at              <>

More information about the Kerberos mailing list