[985] in Kerberos_V5_Development
Re: Krb5 & IP addresses
daemon@ATHENA.MIT.EDU (Richard Basch)
Tue Jan 30 12:35:51 1996
Date: Tue, 30 Jan 1996 12:35:01 -0500
To: hartmans@MIT.EDU (Sam Hartman)
Cc: "Richard Basch" <basch@lehman.com>, krbdev@MIT.EDU
In-Reply-To: <tsl4ttd8uw8.fsf@tertius.mit.edu>
From: "Richard Basch" <basch@lehman.com>
On , 30-January-1996, "Sam Hartman" wrote to "Richard Basch, krbdev@MIT.EDU" saying:
> >>>>> "Richard" == Richard Basch <basch@lehman.com> writes:
>
> Richard> I have a couple concerns with IP addresses being imbedded
> Richard> within Kerberos 5.
>
> Richard> I was talking with Ted about this, and it seemed that
> Richard> there should be an easy way to simply say, "trust me from
> Richard> any IP address". However, looking deeper into the code,
> Richard> this is not the case.
>
> I kind of got the impression from the rfc that the intent of encoding
> no addresses in the ticket was to do this. I agree it doesn't work
> all that well, considering that mk_safe and mk_priv apparently check
> addresses.
>
> Richard> I propose we add another address family type: AF_ANY,
> Richard> ADDR_ANY, or something similar. kinit can then
> Richard> optionally use that on the client to indicate that the
> Richard> server need not check its originating address. This
> Richard> would entail simply changing addr_comp.c and a couple
> Richard> other functions.
>
> This sounds like a poor solution to the problem, although I
> can see reasons why it might be the best option available. (I'm
> trying to think of a way to cleanly get the address for hostname
> canonicalization purposes as I discussed yesterday, but to avoid using
> it for comparison.) What are the obstacles to having a ticket with no
> addresses encoded in it do what you want?
Never mind... I found my problem... I have to create a "NULL" address
pointer, and then pass in a pointer to that to *get_in_tkt.
I am trying it out now... I will check on mk_safe and mk_priv, and the
other functions to make sure that they do the right thing with this case.
--
Richard Basch
Sr. Developer/Analyst URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
