Problem with krb524d/aklog and shared hostname keytabs...

[Neulinger, Nathan]

Would security of the following be roughtly equivalent to addressless
tickets?

Removing this code in krb524/cnv_tkt_skey.c:

     if (!krb5_address_search(context, &kaddr, v5etkt->caddrs)) {
         if (krb524_debug)
             fprintf(stderr, "Invalid v5creds address information.\n");
         krb5_free_enc_tkt_part(context, v5etkt);
         v5tkt->enc_part2 = NULL;
         return KRB524_BADADDR;
     }

Cause that appears to solve (or at least hide) this issue...

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul at umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216


> -----Original Message-----
> From: Sam Hartman [mailto:hartmans at mit.edu] 
> Sent: Monday, March 10, 2003 2:02 PM
> To: Neulinger, Nathan
> Cc: krbdev
> Subject: Re: Problem with krb524d/aklog and shared hostname keytabs...
> 
> 
> I don't think we claim to support r even think about any issues
> involving krb4 and addresses that do not exactly match.
> 
> If it doesn't work with krb524d mod to just throw the v5 ticket part
> into an AFS token, we probably care.
> 
> 
> --Sam
> 
>