[1407] in Kerberos
Re: Kerberos and two ethernet ports
daemon@ATHENA.MIT.EDU (Steve Lacey)
Thu May 23 20:03:10 1991
Date: Thu, 23 May 1991 10:59:17 +0100 (BST)
From: Steve Lacey <sjl@doc.imperial.ac.uk>
To: Graeme Wood <jaw@castle.edinburgh.ac.uk>
Cc: kerberos@MIT.EDU
In-Reply-To: <10452@castle.ed.ac.uk>
Excerpts from kerberos: 22-May-91 Kerberos and two ethernet p.. Graeme
Wood@castle.ed.ac (847)
> I have recently attemted to put up kerberos on a Sequent S81. The
> source was the Bones distribution with Eric Young's DES library.
> The source compiled ok, but when I run kinit and talked to our kerberos
> server I get an authentication error:
> sequent$ kinit
> EUCS Project Fred (sequent)
> Kerberos Initialization
> Kerberos name: jaw
> kinit: Password incorrect
> sequent$
> I believe that the problem is caused by the Sequent having two ethernet
> ports and kerberos is seeing a request coming from the secondary enet
> port with the IP address of the primary enet port in the authenticator
> and so rejects the request thinking that someone is trying to masquerade
> as the host.
> Has anyone else seen this problem? Does anybody have any ideas as to
> what could be happening and how I could fix it or work around it?
We had exactly the same problem. It is caused in krb_rd_req(),
basically, kerberos checks to see if the address the request was
received from is the same as that was put in the ticket. Now this is
liable to be the first in the list of addresses in the hostent. Problems
occur if the packet was sent out over a different interface.
This can be cured by iterating over all addresses returned by
gethostbyaddr(), and is in fact what we do.
Of course, this can be spoofed by a fake hesiod server...
> Graeme Wood
> (Graeme.Wood@edinburgh.ac.uk)
Steve.
-----
Steve J Lacey, Systems Group. (In my opinion, my opinions are just that.)
Department of Computing, Imperial College of Science, Technology and Medicine,
180 Queen's Gate, London SW7. Phone : 071 589 5111 x5085, Fax : 071 581 8024
Email: sjl@doc.ic.ac.uk (sjl%uk.ac.ic.doc@nsfnet-relay.ac.uk), ..!ukc!icdoc!sjl
Hold the MAYO & pass the COSMIC AWARENESS...
