[7185] in Kerberos
Re: rkinit
daemon@ATHENA.MIT.EDU (Roland Schemers)
Wed May 1 22:21:23 1996
To: kerberos@MIT.EDU
Date: 1 May 1996 12:05:22 -0700
From: schemers@leland.Stanford.EDU (Roland Schemers)
In article <Pine.SOL.3.91.960501105804.987B-100000@spot.csc.umd.edu>,
Randall S. Winchester <rsw@eng.umd.edu> wrote:
>
>On Wed, 1 May 1996, Richard Basch wrote:
>> I don't see how a forwarded TGT could work with Kerberos; the IP
>> addresses will be wrong. The afs ticket also could have the wrong IP
>> address, but the service (AFS fileserver) does not verify it. By
>> default, Kerberos services will reject any request not coming from the
>> IP address encrypted in the ticket -- AFS may be a Kerberos service, per
>> se, but it re-implemented the Kerberos decoding and neglected the IP check.
>> --
>
>Actually I 'believe' it is the AFS "Kerberos server" that does not do the
>checking. I took the code from Transarc`s inetd.c which does "token
That is correct. The AFS KDC does not check the IP address in the TGT, so
it is possible to forward them. Some people might consider this a bug
or a security hole, I'd call it a feature ;-)
roland
