krb5_rd_cred checks IP address.
Booker C. Bense
bbense at networking.stanford.edu
Fri Feb 8 11:31:00 EST 2002
On Fri, 8 Feb 2002, Steven Michaud wrote:
> Yes, if you take address checking out of krb5_rd_req() (and its
> relatives), there's no point leaving it in krb5_rd_cred(). Are you
> really thinking of doing that? Then even a KDC couldn't check the
> addresses in a (addressful) TGT when a request came in for a service
> ticket.
>
> Actually, I'd be happy to see all address checking disappear except
> that done by the KDC. Including GSSAPI's channel bindings. Like you
> said with respect to krb5_rd_cred(), non-KDC address checking just
> makes life miserable for NAT users without appreciably increasing
> security. But GSSAPI is a published standard, and people may (for
> whatever reason) still want to use the other non-KDC address checking.
> If they want to wear this particular hair shirt, why not let them do
> so, if they choose? :-)
>
- What I did in our copy of the MIT code in the K4 tree was to key
IP address checking in krb_rd_req on an environmental variable.
Yes, this is evil, but at least when the hair shirt people show
up I have a switch to give them.
- You can see this and a lot of other patches at
http://www.stanford.edu/~bbense/stanford_krb_patches
- I was waiting to announce this until I could put some comments about
what these various things do and I updated the tree to 1.2.3, but
those things don't seem to be happening and since things are
pretty up in the air at Stanford these days, I can't guarantee
how long they'll be available.
- Booker C. Bense
More information about the krbdev
mailing list