client IP address in Kerberos ticket.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

client IP address in Kerberos ticket.

Jim Shi-2
Hi, I have question regarding client IP address checking in KDC.
Is that true that by default  tickets  issued by KDC is not bound to any client IP address.
Also KDC server does not check IP if the ticket does not have  any client IP address in it.

Do we have to explicitly  turn on the client IP address checking on KDC? How to do it?
Thank you very much.

Jim
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: client IP address in Kerberos ticket.

Russ Allbery-2
Jim Shi <[hidden email]> writes:

> Hi, I have question regarding client IP address checking in KDC.  Is
> that true that by default  tickets  issued by KDC is not bound to any
> client IP address.  Also KDC server does not check IP if the ticket does
> not have  any client IP address in it.

> Do we have to explicitly  turn on the client IP address checking on KDC?
> How to do it?  Thank you very much.

I am dubious that IP address checking is a meaningful security measure.
My recommendation would be to forget that it exists and not rely on it for
your security model.

You're correct that the default value of the noaddresses configuration
option is true, largely because address-locked tickets tend to cause tons
of problems in modern network environments that often involve NAT.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Loading...