> Ok, I've got it. You are using the "--addr" flag which is not documented (but
> works for me).
Despite documentation misses, all the yes/no flags can be used
in the form --foo and --no-foo.
The actual behaviour depends on
* What's compiled in (weakest)
* What's the union of all searched krb5.conf files
* What's on the command line (strongest)
I think in the addr case, the compiled in default has changed but the
documentation has not. I'd have to look at the source.
> Since there is a "--no-addresses" flag, I thought the contrary was
> the default choice. I also would think tickets with addresses would
> have been the default way to use a kerberos setup.
It was before the wide spread of NAT and laptops on WiFi which change
IP addr quite a few times during the lifetime of the ticket.
> So my new question is : *usually*, do kerberos tickets include adresses ?
Nowadays: No.
> Another question : I'm writing a service using Kerberos for
> authentication (via gss-api). Should I reject adressless tickets ?
> More precisely security context with initiator name without adresses
> ? Or is adressless tickets the default practice ?
It's a tradeof between security and PITA for the user (depends of
course of your use case).
I have not seen any application the rejects adressless tickets but
I've mostly been using kerberos for login (with openssh) and AFS.
> Otherwise, there is no "--no-prox" flag documented either.
See above ;)
Harald.
