Kerberos can now deal with multi-homed clients.

Kerberos obtains a network address for the local host from the routing
tables and uses it consistently for all Kerberos transactions.  This ensures
that packets only leave the *authenticated* interface.  Clients who open
and use their own sockets for encrypted or authenticated correspondance
to kerberos services should bind their sockets to the same address as that
used by kerberos.  krb_get_local_addr() and krb_bind_local_addr() allow
clients to obtain the local address or bind a socket to the local address
used by Kerberos respectively.

Reviewed by: Mark Murray <markm>, Garrett Wollman <wollman>
Obtained from: concept by Dieter Dworkin Muller <dworkin@village.org>

1 files changed, 10 insertions, 2 deletions

diff --git a/eBones/lib/libkrb/krb_sendauth.3 b/eBones/lib/libkrb/krb_sendauth.3
index 5608255..8f250a5 100644
--- a/eBones/lib/libkrb/krb_sendauth.3
+++ b/eBones/lib/libkrb/krb_sendauth.3
@@ -1,5 +1,5 @@
 .\" from: krb_sendauth.3,v 4.1 89/01/23 11:10:58 jtkohl Exp $
-.\" $Id: krb_sendauth.3,v 1.3 1995/07/18 16:41:03 mark Exp $
+.\" $Id: krb_sendauth.3,v 1.3 1995/09/13 17:23:57 markm Exp $
 .\" Copyright 1988 by the Massachusetts Institute of Technology.
 .\"
 .\" For copying and distribution information,
@@ -82,6 +82,13 @@ The
 function receives the ticket from the client by
 reading from a network socket.
 
+To ensure proper behavior on multi-homed systems (machines with more
+than one network interface) all sockets used with these routines should
+be bound to the same address as that used by the Kerberos library via
+.I krb_get_local_addr
+or
+.I krb_bind_local_addr.
+
 .SH KRB_SENDAUTH
 .PP
 This function writes the ticket to
@@ -338,7 +345,8 @@ will not work properly on sockets set to non-blocking I/O mode.
 
 .SH SEE ALSO
 
-krb_mk_req(3), krb_rd_req(3), krb_get_phost(3)
+krb_mk_req(3), krb_rd_req(3), krb_get_phost(3), krb_get_local_addr(3),
+krb_bind_local_addr(3)
 
 .SH AUTHOR
 John T. Kohl, MIT Project Athena