[31243] in Kerberos
Re: kdc listening on too many interfaces
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Sun Jun 7 15:41:47 2009
From: Ken Raeburn <raeburn@mit.edu>
To: "Steve Devine" <sd@msu.edu>
In-Reply-To: <20090607074819.96022n1kccd3nz7n@mail.msu.edu>
Message-Id: <70769368-F2A8-4130-8814-10D9854FDF80@mit.edu>
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Sun, 7 Jun 2009 15:41:02 -0400
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Jun 7, 2009, at 07:48, Steve Devine wrote:
> Everything works fine and in theory I see no harm but still it seems
> wrong.
> It seems like I ought to be able to disable listening on the backnet
> interface.
> Is this so or no?
At present there is no way to control which IP addresses the KDC
process listens on. (The message from Bjørn Tore Sun outlines how to
select the port numbers and whether the KDC listens for TCP
connections, but not a change in IP addresses.) It's assumed for now
that all IP addresses may be advertised in DNS as belonging to the KDC
(yes, we know it's not necessarily true), so we should listen just in
case. The ability to listen on just some addresses has been
requested, but so far hasn't made it far up the priority list, since
it's generally harmless as you say, unless there's some reason you
need the KDC to *not* listen on certain IP addresses.
--
Ken Raeburn / raeburn@mit.edu / no longer at MIT Kerberos Consortium
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
