code review request: 7032354: no-addresses should not be used on acceptor side
Valerie (Yu-Ching) Peng
valerie.peng at oracle.com
Thu Apr 7 00:18:43 UTC 2011
Changes look good to me.
Thanks,
Valerie
On 03/29/11 10:25 PM, Weijun Wang wrote:
> Hi Valerie
>
> http://cr.openjdk.java.net/~weijun/7032354/webrev.00/
>
> I've removed the use of this setting on the acceptor side, now host
> address check is only performed if caddr is inside service ticket and
> the acceptor has a way to get the initiator's address (currently, thru
> channel binding only).
>
> Thanks
> Max
>
>
> ----------------
> *Change Request ID*: 7032354
> *Synopsis*: no-addresses should not be used on acceptor side
>
>
> === *Description* ===============================================
> We now uses the no-addresses setting in krb5.conf on the acceptor side
> to check if the caddr field in an incoming service ticket matches the
> initiator's host address. According to available docs on krb5.conf,
> this setting is only used by the initiator side when requesting for
> the initial TGT.
>
> http://www.daemon-systems.org/man/krb5.conf.5.html
>
> no-addresses = boolean
> When obtaining initial credentials, request them
> for an empty set of addresses, making the tickets
> valid from any address.
>
> http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.1/doc/krb5-admin/libdefaults.html#libdefaults
>
>
> noaddresses
> Setting this flag causes the initial Kerberos ticket
> to be addressless. The default for the flag is set.
>
More information about the security-dev
mailing list