On Wed, 2004-09-22 at 22:37 +0000, Sam Hartman wrote:"Fredrik" == Fredrik Tolf <[EMAIL PROTECTED]> writes:
Fredrik> Does anyone know if the KDC is configurable to just Fredrik> listen to 0.0.0.0, or will I have to take the time to Fredrik> patch it?
You'll have to patch.
Shouldn't be hard. I think you need to dig up the code in the krb5 library (or include directory, or a copy in the KDC code? I forget where 1.3 had it) that looks for IFF_LOOPBACK and disable it.
Listening on 0.0.0.0 for UDP traffic may not work for hosts with multiple addresses, since the client code may be checking that it got its response back from the same address to which it sent the query. For TCP connections, I think we already ought to be accepting connections from anywhere, though that may not be enough for the KDC to want to start if there aren't non-loopback addresses to use for UDP.
This comes up often enough that I'm thinking we should reconsider our decision not to listen on localhost.Would you mind me asking why you made that decision in the first place? I can see no obvious reason for it.
I think it probably made more sense when tickets included addresses by default; the loopback address would not be listed (and the spec said not to), so sending to and from the loopback address would cause a mismatch of addresses, credentials would be rejected, etc.
Ken
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
