code review request: 7032354: no-addresses should not be used on acceptor side
Weijun Wang
weijun.wang at oracle.com
Wed Mar 30 05:25:51 UTC 2011
Hi Valerie
http://cr.openjdk.java.net/~weijun/7032354/webrev.00/
I've removed the use of this setting on the acceptor side, now host
address check is only performed if caddr is inside service ticket and
the acceptor has a way to get the initiator's address (currently, thru
channel binding only).
Thanks
Max
----------------
*Change Request ID*: 7032354
*Synopsis*: no-addresses should not be used on acceptor side
=== *Description* ===============================================
We now uses the no-addresses setting in krb5.conf on the acceptor side
to check if the caddr field in an incoming service ticket matches the
initiator's host address. According to available docs on krb5.conf, this
setting is only used by the initiator side when requesting for the
initial TGT.
http://www.daemon-systems.org/man/krb5.conf.5.html
no-addresses = boolean
When obtaining initial credentials, request them
for an empty set of addresses, making the tickets
valid from any address.
http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.1/doc/krb5-admin/libdefaults.html#libdefaults
noaddresses
Setting this flag causes the initial Kerberos ticket
to be addressless. The default for the flag is set.
More information about the security-dev
mailing list