[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos4 and check-ticket-addresses

On Tue, 6 May 2003, Love wrote:

> Andreas Haupt <ahaupt@ifh.de> writes:
> > On Tue, 6 May 2003, Love wrote:
> >
> >> Oh, forwarding tickets isn't really supported in Kerberos 4, it just works
> >> with kaserver since kaserver doesn't check the address in the ticket.
> >
> > So why is it enabled by default in the Kerberos4 code of the kdc? The
> > kaserver does not do this - why does it the kaserver _emulation_?
> I thought the kaserver emulation didn't check ip address, but the krb4
> emulation did. When I look at your kerberos error it seems like a kerberos
> 4 error code. Are you sure you talk to the kaserver ?

Oh sorry, sure it talks with the Kerberos4 emulation of the kdc. So do I
understand it correctly if I assume that the native Kerberos4 kdc (from
your athena project) checks addresses as well? Then I understand the
default behaviour of the Heimdal kdc when doing Kerberos4 emulation.

Nevertheless it will be useful if we do not have to patch the sources to
disable the address check for Kerberos4 - I mean something like a new
switch in the krb5.conf just for Kerberos4 address checking could be


Andreas Haupt         E-Mail: ahaupt@ifh.de
 DESY Zeuthen
 Platanenallee 6
 15738 Zeuthen