[38036] in Kerberos
Re: client IP address in Kerberos ticket.
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Jul 21 17:56:02 2017
From: Russ Allbery <eagle@eyrie.org>
To: Jim Shi <hjshi@yahoo.com>
In-Reply-To: <21315697.2316684.1500671341017@mail.yahoo.com> (Jim Shi's
message of "Fri, 21 Jul 2017 21:09:01 +0000 (UTC)")
Date: Fri, 21 Jul 2017 14:53:24 -0700
Message-ID: <87a83xjw2z.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: Kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Jim Shi <hjshi@yahoo.com> writes:
> Hi, I have question regarding client IP address checking in KDC. Is
> that true that by default tickets issued by KDC is not bound to any
> client IP address. Also KDC server does not check IP if the ticket does
> not have any client IP address in it.
> Do we have to explicitly turn on the client IP address checking on KDC?
> How to do it? Thank you very much.
I am dubious that IP address checking is a meaningful security measure.
My recommendation would be to forget that it exists and not rely on it for
your security model.
You're correct that the default value of the noaddresses configuration
option is true, largely because address-locked tickets tend to cause tons
of problems in modern network environments that often involve NAT.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
