Ticket addresses w.r.t. forwarded tickets.

Roland.Dowdeswell@MorganStanley.com Roland.Dowdeswell at MorganStanley.com
Wed Nov 30 19:05:23 EST 2005 

So, by default the MIT libs when asked to forward tickets to the remote
end will decide whether to include addresses in the forwarded ticket by
checking your current TGT and seeing whether it has addresses.  And the
addresses that the libs put in the forwarded ticket are determined via
a DNS forward lookup of the remote end's hostname.  I would like to
have addressed TGTs while forwarding addressless tickets, so I've put
together a tiny patch which defines a boolean in the [libdefaults]
section of $KRB5_CONFIG to let me do this [below].

What's the chance of including this in the main tree?

(I'll elide the long discussion about why using DNS to determine what
addresses the remote end might use to talk to the KDC is pretty much
guaranteed to be incorrect for at least some of the hosts on a
corporate network.  The only reasonable strategy would be to ask the
remote end what its addresses are, or something along those lines.)

Thanks,

Index: lib/krb5/krb/fwd_tgt.c
===================================================================
RCS file: /ms/dev/kerberos/mitkrb5/cvs-dirs/mitkrb5-1.4/mitkrb5/src/lib/krb5/krb/fwd_tgt.c,v
retrieving revision 1.1.1.1
diff -u -u -r1.1.1.1 fwd_tgt.c
--- lib/krb5/krb/fwd_tgt.c	28 Mar 2005 21:43:35 -0000	1.1.1.1
+++ lib/krb5/krb/fwd_tgt.c	30 Nov 2005 23:31:04 -0000
@@ -54,6 +54,7 @@
     krb5_flags kdcoptions;
     int close_cc = 0;
     int free_rhost = 0;
+    int noaddresses;
     krb5_enctype enctype = 0;
     krb5_keyblock *session_key;
     krb5_boolean old_use_conf_ktypes = context->use_conf_ktypes;
@@ -127,8 +128,12 @@
 	retval = KRB5_NO_TKT_SUPPLIED;
 	goto errout;
     }
-
-    if (tgt.addresses && *tgt.addresses) {
+
+    if (krb5_libdefault_boolean(context, &tgt.client->realm,
+        "forward_with_noaddresses", &noaddresses))
+      noaddresses = 0;
+
+    if (!noaddresses && tgt.addresses && *tgt.addresses) {
       if (rhost == NULL) {
 	if (krb5_princ_type(context, server) != KRB5_NT_SRV_HST) {
 retval = KRB5_FWD_BAD_PRINCIPAL;

--
    Roland C. Dowdeswell

More information about the krbdev mailing list