[1404] in Kerberos
re: Kerberos and two ethernet ports
daemon@ATHENA.MIT.EDU (Dave Edmondson)
Thu May 23 06:13:51 1991
To: Graeme Wood <jaw@castle.ed.ac.uk>
Cc: kerberos@ATHENA.MIT.EDU
In-Reply-To: Graeme Wood's message of 22 May 91 12:57:44 GMT
Date: Thu, 23 May 91 09:13:33 +0000
From: Dave Edmondson <davided@sco.COM>
jaw# I believe that the problem is caused by the Sequent having two
jaw# ethernet ports and kerberos is seeing a request coming from the
jaw# secondary enet port with the IP address of the primary enet port
jaw# in the authenticator and so rejects the request thinking that
jaw# someone is trying to masquerade as the host.
i have seen this problem too, and i recall that people at athena knew
about it.
jaw# Has anyone else seen this problem? Does anybody have any ideas as
jaw# to what could be happening and how I could fix it or work around
jaw# it?
three solutions suggest thenselves:
1) get v5. as i understand it (not read the v5 spec for quite
a while) v5 will allow multiple addresses, and even multiple
protocol families to be passed around in tickets.
2) somewhere in libkrb (krb_rd_req springs to mind) is the
place where the address check is performed. you could add a
reverse lookup here and check all of the hosts addresses
against that which originated the packet. the problem with
this is that the name server is not a secure service, so it's
reasonably easy to start spoofing. the was a paper written
about doing a secure nameserver, but i don't know if it ever
got anywhere.
3) fix your kernel. somewhere in the code which emits ip
packets is that part which inserts the correct ip address for
the port from which the packet will travel. it seems quite an
easy change to make all packets be transmitted with the same
address (ie the principal one). i recall hearing that 4.4bsd
does this. this could introduce problems (inefficiencies
really) when routing replies though.
last time i hit the problem, i went for solution 2, and just had to
cope with the occasional loss in security where multi-interface hosts
were concerned.
dave.
---
Dave Edmondson, Santa Cruz Operation, davided@sco.com
``All those lines and circles, to me a mystery.'' -- Ten Thousand Maniacs
