Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Jan 1997 14:04:42 -0500 (EST)
From:      Hui-Hui Hu <hhui@bluemountainarts.com>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/2508: kerberos does not support multihomed hosts
Message-ID:  <199701161904.OAA11986@disperse.arcfour.com>
Resent-Message-ID: <199701161910.LAA07319@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         2508
>Category:       bin
>Synopsis:       kerberos does not support multihomed hosts
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 16 11:10:04 PST 1997
>Last-Modified:
>Originator:     Hui-Hui Hu
>Organization:
Arc Four
>Release:        FreeBSD 2.2-ALPHA i386
>Environment:

	kerberos IV / eBones  (by the way, I tried 3.0-current krb libs also)
        server is running two IP addresses

>Description:

	a ticket read request will often fail over a multihomed
        server host because kerberos will check the ticket address 
        and if the first interface address the system returns is
        different from the outgoing packet then it will generate a 
        "Incorrect network address" (RD_AP_BADD). this is contrary to
        the specification, which says:

'Incorrect network address' 
      The address in the ticket does not match the address you sent the 
      request from. This happens on systems with more than one network 
      address, either physically or logically. You can list addresses which
      should be considered equal in `/etc/krb.equiv' on your servers. 

        the line in rd_req.c (libkrb.a) is:

    if (from_addr && (ad->address != from_addr))

        which does not take in account more than one interface.

>How-To-Repeat:

        configure two interfaces, with the non-default interface
        ("internal lan") being the first one that the kernel will return.
        then try to authenticate yourself.

>Fix:
	
	a very bad fix is to comment out the line return (RD_AP_BADD)
        in rd_req.c. Obviously this kind of destroys a lot of authentication.
        The proper solution would be to implement a krb.equiv file
        for multihomed server hosts. That would be really, really appreciated.
        Maybe I'll work on it if I get bored some day. :)
 
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701161904.OAA11986>