Requesting use of addresses in forwardable tickets

Matt Crawford crawdad at
Wed Sep 11 09:56:00 EDT 2002

> CyberSafe (sigh) solved this problem by having the target host compare
> IP addresses in the forwarded tickets with it's local interfaces. If
> there was a mismatch, it would use TGS to acquire a new ticket that
> included a full set of tickets. Presumably, the socket used for this
> request was bound, as in bind(), to one of addresses available in the
> originally forwarded ticket. I believe they did this only if there was
> at one or more addresses in the forwarded ticket, so as to allow for
> meeting requirement 1. Perhaps this approach is worth considering.

I set out to implement that myself, but the number of calls between
where you know the addresses in the ticket and where you can bind()
the socket was too daunting, so I settled for something that
generally works in our environment -- the interface the user comes in
on, and hence the one whose address is in the ticket, is generally
the one that leads back to all the KDCs, so re-forwarding the ticket
to all the krb5_os_localaddr()'s usually works.

More information about the krbdev mailing list