krb5 address checks and loopback connections

Ken Raeburn raeburn at MIT.EDU
Fri Jul 5 21:56:01 EDT 2002

I just checked in some code to enable the use of IPv6 sockets in the
KDC.  (More work is needed in this area, and I'm looking at TCP
support too.)

It breaks the test suite in interesting ways on at least some Linux
systems.  Apparently, on Linux, messages sent to IPv6 addresses owned
by the local machine are routed via the loopback interface, and thus
use the source address "::1" unless otherwise specified.  Since ::1 is
not in the tickets' address list, the KDC will reject TGTs sent to it
this way.

Solaris, at least, doesn't have this problem.  It also won't break any
Linux system where looking up the local hostname doesn't return any
local IPv6 addresses; IPv4 under Linux doesn't behave this way.

This is also likely to be a problem for other services which could be
running on the same machine as a client program and using Kerberos to
authenticate, with address checks.  I can connect to the local
"finger" service on my machine, and the source address is again the
loopback address.

Assuming that the Linux behavior isn't going to get changed any time
soon, I think the address checks in the krb5 library need fixing.  Tom
suggested that if the source address is a loopback address and the
ticket has an address list, we look up all the local non-loopback
addresses (we already have this code) and see if any of them is listed
in the ticket address list.  This sort of assumes that some earlier
step has filtered out any spoofed packets with the loopback source

Unless someone knows of a reason why this wouldn't be a good idea,
I'll probably go ahead and implement it.


More information about the krbdev mailing list