code review request: 7032354: no-addresses should not be used on acceptor side

Valerie (Yu-Ching) Peng valerie.peng at oracle.com
Thu Apr 7 00:18:43 UTC 2011


Changes look good to me.
Thanks,
Valerie

On 03/29/11 10:25 PM, Weijun Wang wrote:
> Hi Valerie
>
> http://cr.openjdk.java.net/~weijun/7032354/webrev.00/
>
> I've removed the use of this setting on the acceptor side, now host 
> address check is only performed if caddr is inside service ticket and 
> the acceptor has a way to get the initiator's address (currently, thru 
> channel binding only).
>
> Thanks
> Max
>
>
> ----------------
> *Change Request ID*: 7032354
> *Synopsis*: no-addresses should not be used on acceptor side
>
>
> === *Description* ===============================================
> We now uses the no-addresses setting in krb5.conf on the acceptor side 
> to check if the caddr field in an incoming service ticket matches the 
> initiator's host address. According to available docs on krb5.conf, 
> this setting is only used by the initiator side when requesting for 
> the initial TGT.
>
> http://www.daemon-systems.org/man/krb5.conf.5.html
>
>     no-addresses = boolean
>         When obtaining initial credentials, request them
>         for an empty set of addresses, making the tickets
>         valid from any address.
>
> http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.1/doc/krb5-admin/libdefaults.html#libdefaults 
>
>
>     noaddresses
>         Setting this flag causes the initial Kerberos ticket
>         to be addressless. The default for the flag is set.
>




More information about the security-dev mailing list