Case 695201: Problems with VPN and checking mail ON campus
jdreed at MIT.EDU
Fri Nov 5 11:10:33 EST 2004
(client dropped from CC list)
>The client needs to use VPN on campus because a short while ago
>their department had an IT Audit and found that since they are
>running a Filemaker 5 server they were sending sensitive data over
>the network in cleartext. The auditor suggested to use VPN to
>encrypt that data.
That may not do any good. The VPN will encrypt the data between the
client machine and W92. Once in W92, it's back in clearttext and is
going over the network to wherever the FileMaker server is. If the
server is in a server room, that's ok, since it's unlikely anyone
will be sniffing backbone traffic. If the server is in their
department, however (ie: on the same network as the client's
machine), the data will still be in cleartext and this will
>After testing for a while I think I figured out the problem.
>Essentially the ability to get "Address-less Tickets" on the mac
>does not exsist.
Yes it does. In the Kerberos utility (/Applications/Utilities, if
you installed Kerberos Extras), there's a checkbox for "Always get
addressless tickets". I think it's even checked by default these
days (as of 10.3, anyway).
Of course, mail uses krb4 for either IMAP or POP, and krb4 has no
concept of addressless tickets. I do wonder, though, why, when a CFM
application (like Eudora) gets an "incorrect network address" error,
the tickets are destroyed. Can't it check to see if the v5 tickets
are addressless and if so, destroy the v4 ones and get new ones?
(Does it use krb524?)
jdreed at mit.edu
More information about the krbdev