-
Type:
Bug
-
Resolution: Fixed
-
Priority:
P4
-
Affects Version/s: 7
-
Component/s: security-libs
-
b140
-
generic
-
generic
-
Verified
We now uses the no-addresses setting in krb5.conf on the acceptor side to check if the caddr field in an incoming service ticket matches the initiator's host address. According to available docs on krb5.conf, this setting is only used by the initiator side when requesting for the initial TGT.
http://www.daemon-systems.org/man/krb5.conf.5.html
no-addresses = boolean
When obtaining initial credentials, request them
for an empty set of addresses, making the tickets
valid from any address.
http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.1/doc/krb5-admin/libdefaults.html#libdefaults
noaddresses
Setting this flag causes the initial Kerberos ticket
to be addressless. The default for the flag is set.
http://www.daemon-systems.org/man/krb5.conf.5.html
no-addresses = boolean
When obtaining initial credentials, request them
for an empty set of addresses, making the tickets
valid from any address.
http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.1/doc/krb5-admin/libdefaults.html#libdefaults
noaddresses
Setting this flag causes the initial Kerberos ticket
to be addressless. The default for the flag is set.