logo_kerberos.gif

IPv6

From K5Wiki
Revision as of 15:46, 5 January 2011 by Ghudson (talk | contribs) (IPv6 Support Status)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This page describes the status of IPv6 support across versions of Kerberos and provides resources to aid developers in making their Kerberos applications work with IPv6.

IPv6 Support Status

  • IPv6 addresses in krb5.conf: Since krb5 1.9, IPv6 addresses have been supported in krb5.conf, using the syntax [ipv6address] or [ipv6address]:port.
  • KDC requests: Since krb5 1.3, IPv6 has been supported for ticket requests from clients to KDCs.
  • kpasswd: Since krb5 1.7, kadmind accepts password change requests over IPv6. Since krb5 1.8.1, clients can send password change requests over IPv6.
  • kprop/kpropd: As of krb5 1.9, kprop and kpropd can communicate over IPv6. Unlike the KDC and kadmind, kpropd's standalone support currently relies on dual-stack support to accept both IPv4 and IPv6 connections on a single listener socket.
  • kadmin: As of krb5 1.9, kadmin and kadmind can communicate over IPv6.
  • gssrpc library: As of krb5 1.9, it is possible for some applications using GSSRPC to communicate over IPv6. For this to work, the application client must create and connect its own client sockets, the application server must create and bind its own listener sockets, the application must only use TCP connections, and the application must not query the address of a client or server object. As a consequence of these restrictions, the application cannot use the portmapper (i.e. it must run over an already-known port).
  • rcmd application suite: As of krb5 1.3 (and all krb5-appl releases), the Kerberized rsh, rlogin, and rcp commands and daemons can communicate over IPv6, including the standalone debug-mode support in the daemons.
  • telnet application: As of krb5 1.3 (and all krb5-appl releases), the Kerberized telnet client can connect to a server over IPv6. telnetd can accept IPv6 connections when run from inetd (assuming the inetd can accept IPv6 connections), but its standalone debug-mode does not support IPv6.
  • ftp application: The Kerberized FTP client and server currently have no IPv6 support.
  • Addresses within tickets: Since krb5 1.2, IPv6 addresses have been supported for the caddr field of tickets, which restricts what addresses the ticket may be used from. Most modern Kerberos deployments do not use this ticket field, so this support may be of minimal interest.