Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!elroy.jpl.nasa.gov!jarthur!uunet!stanford.edu!doc.imperial.ac.uk!sjl From: sjl@doc.imperial.ac.uk (Steve Lacey) Newsgroups: comp.protocols.kerberos Subject: Re: Kerberos and two ethernet ports Message-ID: Date: 23 May 91 09:59:17 GMT References: <10452@castle.ed.ac.uk> Sender: sjl@doc.imperial.ac.uk Organization: Internet-USENET Gateway at Stanford University Lines: 48 Excerpts from kerberos: 22-May-91 Kerberos and two ethernet p.. Graeme Wood@castle.ed.ac (847) > I have recently attemted to put up kerberos on a Sequent S81. The > source was the Bones distribution with Eric Young's DES library. > The source compiled ok, but when I run kinit and talked to our kerberos > server I get an authentication error: > sequent$ kinit > EUCS Project Fred (sequent) > Kerberos Initialization > Kerberos name: jaw > kinit: Password incorrect > sequent$ > I believe that the problem is caused by the Sequent having two ethernet > ports and kerberos is seeing a request coming from the secondary enet > port with the IP address of the primary enet port in the authenticator > and so rejects the request thinking that someone is trying to masquerade > as the host. > Has anyone else seen this problem? Does anybody have any ideas as to > what could be happening and how I could fix it or work around it? We had exactly the same problem. It is caused in krb_rd_req(), basically, kerberos checks to see if the address the request was received from is the same as that was put in the ticket. Now this is liable to be the first in the list of addresses in the hostent. Problems occur if the packet was sent out over a different interface. This can be cured by iterating over all addresses returned by gethostbyaddr(), and is in fact what we do. Of course, this can be spoofed by a fake hesiod server... > Graeme Wood > (Graeme.Wood@edinburgh.ac.uk) Steve. ----- Steve J Lacey, Systems Group. (In my opinion, my opinions are just that.) Department of Computing, Imperial College of Science, Technology and Medicine, 180 Queen's Gate, London SW7. Phone : 071 589 5111 x5085, Fax : 071 581 8024 Email: sjl@doc.ic.ac.uk (sjl%uk.ac.ic.doc@nsfnet-relay.ac.uk), ..!ukc!icdoc!sjl Hold the MAYO & pass the COSMIC AWARENESS...