Ticket addresses w.r.t. forwarded tickets.

Roland.Dowdeswell@MorganStanley.com Roland.Dowdeswell at MorganStanley.com
Tue Dec 6 10:17:57 EST 2005

On Tue, 6 Dec 2005, Jeffrey Altman wrote:

> Your case is the exact opposite of Roland's case.   As you are aware,
> part of the problem these days with forwarding addressed tickets are
> that without significant knowledge of the network infrastructure and
> the configuration of the remote machine's network configuration, it is
> next to impossible for the entity forwarding the ticket to determine
> the correct set of addresses to restrict the ticket to.
> We absolutely need to solve implement constraints but I just do not
> see address constraints as being viable.
> Roland:
> I would like to take a look at your patch.  I believe that it will
> assist in achieving the removal of addresses from tickets and would
> consider applying it.

The problem with the current mechanism for putting addresses in
forwarded tickets is that it is not likely to put the correct addresses
in for `interesting' setups.  The current mechanism is to use the
forward lookup of the hostname, there is no guarantee that the forward
lookup of an address to which you connect will be the address from
which the remote host would attempt to contact the KDC.  The remote
host may not even be able to contact the KDC from that address.

    Roland C. Dowdeswell

More information about the krbdev mailing list