Since the kinit has a -A noaddresses option, can this be caried forward to forwardable tickets? i.e. if the TGT used to get a forwardable ticket does not have addresses, don't request addresses in a forwardable ticket.
This looks like an easy change to krb5_fwd_tgt_creds. Has anyone done this? Cesar Garcia wrote: > > I've been working with 1.2.2 for a some months now, and only > recently have attempted to get the rcmds working, mainly in > an effort to better understand how ticket forwarding works, > since we have a need to do this in a homegrown application. > > The behavior that I see is that when I invoke ticket > forwarding, the "forwarded" tickets contain only a single > IP address. > > After walking through some of the code, it appears that > the client, via krb5_fwd_tgt_creds, determines the target's > IP address via a host lookup using gethostbyname(), as > implemented in krb5_os_hostaddr(). > > Since we use NIS as the primary source for hostname > resolution, all host lookups render a single IP address, > even for multihomed machines. Moving to DNS is not an > option at the moment. Additionally, we use Veritas VCS > and other similar clustering facilities. These hosts > will have additional IP addresses that are not associated > with the real hostname, but with service names for a > particular cluster/application. So even if were to switch > to DNS, the client would not be able to determine all the > IP addresses for a given target host via the hostname > lookup that it uses today. > > That said (barring hacks to application protocols that > would allow target hosts to send IP addresses back to > the source host, then having the client embed the full set > of tickets), the way to address this would be to have > the target host obtain new tickets will a full set of > IP addresses. > > 1 - is this possible? > 2 - is it within the limits of the specification? > > If so, has anyone has implemented this for 1.2.2 or any > releases of MIT krb5. > _______________________________________________ > Kerberos mailing list > [EMAIL PROTECTED] > http://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
