Requesting use of addresses in forwardable tickets

Douglas E. Engert deengert at anl.gov
Wed Sep 11 15:13:00 EDT 2002 

Sam Hartman wrote:
> 
> >>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
> 
>     Douglas> Are there (or can there) be any plans to allow a client
>     Douglas> to not request addresses in the forwardable tickets? You
>     Douglas> can already do this in kinit for the initial ticket.
> 
> It seems this is only consistent with the WG direction away from addresses in tickets by default.
> 
>     Douglas> One way would be to not add addresses to a forwardble
>     Douglas> tickets if the original TGT did not have addresses.
> 
> Sounds like a winner to me.

Well then, here is an (untested) mod to the KDC which should not 
add addresses if the original TGT did not have addresses:  

*** ,do_tgs_req.c       Thu Oct 25 14:27:09 2001
--- do_tgs_req.c        Wed Sep 11 13:42:30 2002
***************
*** 309,316 ****
--- 309,321 ----
  
        /* include new addresses in ticket & reply */
  
+       /* But only if the original TGT had addresses. This gives */
+       /* the user control over use of addresses based on original */
+       /* ticket i.e. kinit -A will carry forward */
+       if (header_ticket->enc_part2->caddrs) { 
        enc_tkt_reply.caddrs = request->addresses;
        reply_encpart.caddrs = request->addresses;
+       }
      } 
      if (isflagset(header_ticket->enc_part2->flags, TKT_FLG_FORWARDED))
        setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);

I have CC'ed this note to a number of other people who are intrested in 
getting this fixed. Hopefully they can test this. They have a mixture of 
versions at any one time, so they might be interested in 
a client side mod as well. If they do not have control over the KDC or 
can't wait, for the KDC to be updated, here is a mod for the client side to 
not add addresses if the krb5.conf has "noaddresses" set in the client's realm. 
Again this is untested. 

The get_in_tkt will not add addresses for forwarded tickets,
and the fwd_tgt.c will not call it with addresses if the
"noadresses" is set. 



*** ,get_in_tkt.c       Thu Mar 14 10:09:41 2002
--- get_in_tkt.c        Wed Sep 11 13:49:49 2002
***************
*** 448,453 ****
--- 448,456 ----
      if (addrs)
        request.addresses = (krb5_address **) addrs;
      else
+       if (options & KDC_OPT_FORWARDED) 
+       ;
+       else
        if ((retval = krb5_os_localaddr(context, &request.addresses)))
            goto cleanup;
      request.kdc_options = options;
*** ,fwd_tgt.c  Mon Dec  3 15:40:52 2001
--- fwd_tgt.c   Wed Sep 11 12:52:59 2002
***************
*** 55,60 ****
--- 55,61 ----
      int free_rhost = 0;
      krb5_enctype enctype = 0;
      krb5_keyblock *session_key;
+     int tempint;
  
      memset((char *)&creds, 0, sizeof(creds));
      memset((char *)&tgt, 0, sizeof(creds));
***************
*** 103,108 ****
--- 104,114 ----
        krb5_free_cred_contents (context, &in);
      }
      
+     if (((retval = krb5_libdefault_boolean(context, &client->realm,
+                       "noaddresses", &tempint)) == 0)
+                       && tempint) {
+               ;
+     } else
      retval = krb5_os_hostaddr(context, rhost, &addrs);
      if (retval)
        goto errout;

 




-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list