[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos4 and check-ticket-addresses

On Mon, 5 May 2003, Love wrote:

> Andreas Haupt <ahaupt@ifh.de> writes:
> > Hello again,
> >
> > today we replaced the AFS kaserver with the heimdal kdc. We now get lots
> > of errors when using old apps with Kerberos4: "Incorrect network address
> > (krb_rd_req)".
> >
> > This could be solved when setting check-ticket-addresses in krb5.conf to
> > false. Does this have any security problems or can we live with it until
> > all applications have been switched to native Kerberos5?
> From what I can see the ka-server doesn't check addresses, you might want
> to disable it only for v4 compatibility.  but leave on for kerberos 5
> requests. This requires patching in the kdc (kdc/kerberos4.c, look for line
> with check_ticket_addressses).

OK, I found the place. But what are the security impacts for Kerberos5
when leaving it switched off generally?

> Is it users behind NAT that have the problem or some other application ?

No, it is very simple to reproduce. After you connected to another machine
via e.g. ssh your forwarded Kerberos4 tgt is not usable any more (see
error message above). AFS kaserver does not seem to check this at all. We
see this problem now for the first time.


Andreas Haupt         E-Mail: ahaupt@ifh.de
 DESY Zeuthen
 Platanenallee 6
 15738 Zeuthen