[1255] in Kerberos_V5_Development
Re: security flaw in get_in_tkt: address verification
daemon@ATHENA.MIT.EDU (Sam Hartman)
Fri May 31 21:08:44 1996
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: epeisach@MIT.EDU, krbdev@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 31 May 1996 21:08:36 -0400
In-Reply-To: "Barry Jaspan"'s message of Thu, 30 May 1996 13:34:34 -0400
>>>>> ""Barry" == "Barry Jaspan" <bjaspan@MIT.EDU> writes:
"Barry> Date: Thu, 30 May 1996 13:22:45 EDT From: Ezra Peisach
"Barry> <epeisach@MIT.EDU>
"Barry> Question: Your code fragment implied that the code was
"Barry> commented out... I Do you think that was to handle the
"Barry> multiple homed hosts out there now?
"Barry> Yes, the code is commented out, and I have no idea why.
"Barry> Perhaps someone commented it out because the addrs
"Barry> variable is no available, but in fact the addresses are in
"Barry> the request structure, which is available.
Are you sure that there aren't situations involving proxies
through a firewall where the kdc, or agent between the kdc and client
might not reasonably add addresses to the tgt request? Do we want to
allow such usage?
--Sam
