[4321] in Kerberos
Re: request for commentary on krb IV server mod
daemon@ATHENA.MIT.EDU (Derrick J. Brashear)
Mon Dec 12 14:25:59 1994
To: kerberos@MIT.EDU
Date: Mon, 12 Dec 1994 13:56:28 -0500
From: "Derrick J. Brashear" <db74+@andrew.cmu.edu>
Excerpts from netnews.comp.protocols.kerberos: 12-Dec-94 request for
commentary on k.. by Daniel G. Pouzzner@prez.
> I've just modified our kerberos servers to disable the inet_addr
> matching performed by krb_rd_req(). This allows us to have tickets
> (and AFS tokens) automatically set up when we telnet. I am of the
> opinion that the inet_addr checking offers no real additional
> security. A possible half-way in this area is to implement an
> "outstanding tgt" table in the kserver: tgt's and the hosts from which
> they may be used are recorded, and use of a tgt by a secondary host
> can only be endorsed by a request initiated from a host already in the
> list. Needless to say, the entire family of ticket files associated
> with the tgt simultaneously expire.
I am of full and complete agreement. The added security of having the
check is dubious at best (IMHO of course), and the AFS kaserver already
behaves like this. Each time I've set up a Kerberos server I've done
this.
-D
