krb5_rd_cred checks IP address.
Steven Michaud
smch at midway.uchicago.edu
Fri Feb 8 11:11:00 EST 2002
Yes, if you take address checking out of krb5_rd_req() (and its
relatives), there's no point leaving it in krb5_rd_cred(). Are you
really thinking of doing that? Then even a KDC couldn't check the
addresses in a (addressful) TGT when a request came in for a service
ticket.
Actually, I'd be happy to see all address checking disappear except
that done by the KDC. Including GSSAPI's channel bindings. Like you
said with respect to krb5_rd_cred(), non-KDC address checking just
makes life miserable for NAT users without appreciably increasing
security. But GSSAPI is a published standard, and people may (for
whatever reason) still want to use the other non-KDC address checking.
If they want to wear this particular hair shirt, why not let them do
so, if they choose? :-)
On 7 Feb 2002, Sam Hartman wrote:
> >>>>> "Steven" == Steven Michaud <smch at midway.uchicago.edu> writes:
>
> Steven> Why not figure out a way to leave the address-checking decision up
> Steven> to the application server? (I.e. why not let whoever runs the
> Steven> application server use a command-line parameter to determine whether
> Steven> or not address-checking will be done?)
>
> OK, I think my argument would be that address checking is even less
> useful for rd_cred than for rd_req.
>
>
More information about the krbdev
mailing list