gssftpd and gss_acquire_cred
rra at stanford.edu
Mon Nov 16 21:56:43 EST 2009
Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
>>Convincing arguments about the safety of forgoing the address checks
>>in the kpasswd case are also welcome.
> Honestly, that's what I do. It has the added advantage of being a lot
> less code.
I suggest checking how many large Kerberos sites have a web site where
users can change passwords. I bet it's a lot of them (I know we have one,
as do most of the peer institutions I've talked to). None of them are
doing Kerberos-style IP checking, and I bet at most of those sites that's
how all the regular users change their passwords.
I think you'll find that most deployments have, in effect, turned off
address checking already.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev