krb5_rd_cred checks IP address.

Booker C. Bense bbense at
Fri Feb 8 11:31:00 EST 2002

On Fri, 8 Feb 2002, Steven Michaud wrote:

> Yes, if you take address checking out of krb5_rd_req() (and its
> relatives), there's no point leaving it in krb5_rd_cred().  Are you
> really thinking of doing that?  Then even a KDC couldn't check the
> addresses in a (addressful) TGT when a request came in for a service
> ticket.
> Actually, I'd be happy to see all address checking disappear except
> that done by the KDC.  Including GSSAPI's channel bindings.  Like you
> said with respect to krb5_rd_cred(), non-KDC address checking just
> makes life miserable for NAT users without appreciably increasing
> security.  But GSSAPI is a published standard, and people may (for
> whatever reason) still want to use the other non-KDC address checking.
> If they want to wear this particular hair shirt, why not let them do
> so, if they choose? :-)

- What I did in our copy of the MIT code in the K4 tree was to key
IP address checking in krb_rd_req on an environmental variable.
Yes, this is evil, but at least when the hair shirt people show
up I have a switch to give them.

- You can see this and a lot of other patches at

- I was waiting to announce this until I could put some comments about
what these various things do and I updated the tree to 1.2.3, but
those things don't seem to be happening and since things are
pretty up in the air at Stanford these days, I can't guarantee
how long they'll be available.

- Booker C. Bense

More information about the krbdev mailing list