code review request: 7032354: no-addresses should not be used on acceptor side

Weijun Wang weijun.wang at oracle.com
Wed Mar 30 05:25:51 UTC 2011


Hi Valerie

http://cr.openjdk.java.net/~weijun/7032354/webrev.00/

I've removed the use of this setting on the acceptor side, now host 
address check is only performed if caddr is inside service ticket and 
the acceptor has a way to get the initiator's address (currently, thru 
channel binding only).

Thanks
Max


----------------
*Change Request ID*: 7032354
*Synopsis*: no-addresses should not be used on acceptor side


=== *Description* ===============================================
We now uses the no-addresses setting in krb5.conf on the acceptor side 
to check if the caddr field in an incoming service ticket matches the 
initiator's host address. According to available docs on krb5.conf, this 
setting is only used by the initiator side when requesting for the 
initial TGT.

http://www.daemon-systems.org/man/krb5.conf.5.html

     no-addresses = boolean
         When obtaining initial credentials, request them
         for an empty set of addresses, making the tickets
         valid from any address.

http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.1/doc/krb5-admin/libdefaults.html#libdefaults

     noaddresses
         Setting this flag causes the initial Kerberos ticket
         to be addressless. The default for the flag is set.




More information about the security-dev mailing list