I'm still experimenting with Kerberos, Heimdal and adressfull tickets. I have some questions, and I didn't find answers on the internet.
- Is Heimdal's gss-api using replay cache ? If no, does it prevent token replay by other means ?
- Is there a way, using the service-side gss-api, to retrieve the internet adresses embedded in the service ticket coming from a client (in order to check that the client address is included in the ticket addresses) ? Or is there a way when building the security context to give the (observed) client address so that a check can be enforced ?
>I'm still experimenting with Kerberos, Heimdal and adressfull tickets.
You know ... back in the day, I tried very hard to make Kerberos work with
addressfull tickets (this was with MIT Kerberos, but I believe the issues
are the same). I finally came to the hard realization that this was
a HUGE waste of time.
The primary reason is because of NAT; NATs (and equivalent technologies)
are all over the place, and basically in the modern Internet you have no
guarantee that the IP address of the host you are talking to matches what
the other end thinks it's IP address is. I don't particularly love this
fact, but it's just the reality. Putting IP addresses in tickets just
makes your life harder.
Secondly, the security benefit you get from IP addresses in tickets is
relatively small. I'm not saying it's zero, but it is not large. I do
not think it is worth the pain you will experience.