Requesting use of addresses in forwardable tickets

Douglas E. Engert deengert at
Wed Sep 11 16:06:01 EDT 2002

Ken Hornstein wrote:
> >Well then, here is an (untested) mod to the KDC which should not
> >add addresses if the original TGT did not have addresses:
> Silly question: Wouldn't this be more appropriate as a client-side
> modification?  E.g., if the client TGT has no addresses,

But I don't believe the client can tell if the TGT has addresses or not.
The caddrs are in the encrypted part of the ticket encrypted in the krbtgt key.  

> fwd_tgt becomes
> almost a no-op (that would cut down one round-trip to the KDC, and that
> would be a good thing IMHO). 

Yes it would cut down one round trip, but the flags, times, or authdata might
also change. In the future we might come up with something to use instead of
addresses to protect against stolen tickets.   

> I'm just worried because I can think of a
> few cases where I would want an addressless ticket to be forwarded to
> a machine and _have_ addresses, and doing this on the KDC would completely
> prohibit that.

Well that's a good point. That was one reason to send in two sets of
independent mods. The second set was to not send in addresses. 
Do we need another option in the kdc_options? 

> --Ken


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list