[29293] in Kerberos
Re: Why krb5kdc and kadmind sets up ports for listening differently ?
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Tue Feb 19 09:45:55 2008
In-Reply-To: <9549b1d80802182317u66c97c54g8cedad2b93877c5c@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v753)
Message-Id: <2DB984B8-3A2B-4E6D-B22E-AAFCAF7BB4CB@mit.edu>
From: Ken Raeburn <raeburn@MIT.EDU>
Date: Tue, 19 Feb 2008 09:43:52 -0500
To: "Sachin Punadikar" <punadikar.sachin@gmail.com>
Cc: kerberos@MIT.EDU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@MIT.EDU
On Feb 19, 2008, at 02:17, Sachin Punadikar wrote:
> While doing code walkthrough of krb5kdc and kadmind programs,
> I noticed a difference between these two in the way it sets up the
> ports for listening.
> krb5kdc uses ioctl calls to get the interfaces list and then on each
> interface/ip-address its sets up the port for listening.
> While in case of kadmind it uses wildcard to set up the port for
> listening.
>
> Any specific reason for having different approaches while setting
> up ports?
The UDP service offered by the KDC needs to respond from the same IP
address that the client used to reach it. That's not possible with a
wildcard-address listener unless your system has support for
IP_PKTINFO or IPV6_PKTINFO, which is now supported in our code as
well. The TCP listener does use a wildcard address.
In kadmind, we're only using TCP, so it can just use the wildcard.
The krb524d server uses a wildcard address for UDP, I believe. I
don't recall if the client code checks the server's address; it may
be a bug to use the wildcard, and we may need to revise the code to
match the KDC's code someday, if anyone cares.
--
Ken Raeburn, Senior Programmer
MIT Kerberos Consortium
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
