[OpenAFS] openafs, aklog, and NAT

Ken Hornstein kenh@cmf.nrl.navy.mil
Fri, 05 Oct 2001 02:32:29 -0400


>1) I have seen reference to a patch by Ken Hornstein(if you're listening, feel
>free to speek up) which allows you to specify a "proxy_address = x.x.x.x" line
>in your krb5.conf file, and adds that to the list of addresses that gets
>requested when talking to the kdc.

yeah ... that code is relatively simple, it's just a pain right now to
extract it out from the ton of other changes I have to the base MIT
sources.  But there's no good way to automatically determine that external
address, which perhaps makes me think that the second solution is better ...

>2)there is a "noaddresses = true" entry which you can put into your krb5.conf
>which causes kinit etc. to ask for tickets with no ip-addresses embeded in
>them. the concern with this solution is that any tickets granted on this
>machine can be used on any other machine. if you are living on an untrusted
>network, it is likely that someone who has managed to steel a ticket could
>spoof an IP anyways, so I'm not sure how much this really lowers your overall
>security.

--Ken