krb5_rd_cred checks IP address.

Steven Michaud smch at
Fri Feb 8 11:11:00 EST 2002

Yes, if you take address checking out of krb5_rd_req() (and its
relatives), there's no point leaving it in krb5_rd_cred().  Are you
really thinking of doing that?  Then even a KDC couldn't check the
addresses in a (addressful) TGT when a request came in for a service

Actually, I'd be happy to see all address checking disappear except
that done by the KDC.  Including GSSAPI's channel bindings.  Like you
said with respect to krb5_rd_cred(), non-KDC address checking just
makes life miserable for NAT users without appreciably increasing
security.  But GSSAPI is a published standard, and people may (for
whatever reason) still want to use the other non-KDC address checking.
If they want to wear this particular hair shirt, why not let them do
so, if they choose? :-)

On 7 Feb 2002, Sam Hartman wrote:

> >>>>> "Steven" == Steven Michaud <smch at> writes:
>  Steven> Why not figure out a way to leave the address-checking decision up
>  Steven> to the application server?  (I.e. why not let whoever runs the
>  Steven> application server use a command-line parameter to determine whether
>  Steven> or not address-checking will be done?)
> OK, I think my argument would be that address checking is even less
> useful for rd_cred than for rd_req.

More information about the krbdev mailing list