IP addresses with VPN, and "kinit -xa"

Thursday May 08, 2008

I'm working from home now, connecting to the office network thru VPN. Running 'ifconfig -a' does not show the IP address for the VPN, although I can find it by using "who" in a SSH session into a office machine or simply look at the Shimo statistics pane.

But here comes a problem, Java's Kerberos uses the following method to fill addresses into the AS-REQ message when requesting the initial TGT from a KDC (which is in the office):

InetAddress.getAllByName(InetAddress.getLocalHost().getHostName())

and it cannot find the VPN IP. So if I use this TGT to request for a service ticket, an error is returned: Incorrect net address.

To solve this problem, I write a patch for Kinit.java in Java, creating a new option "-xa address" which adds an extra address into AS-REQ (this option can be provided more than once). The option "-a" is also added into Klist.java to print the addresses for a ticket. Everything works now.

BTW, I don't like the decision that Sun removed kinit and klist tools from JDK/JRE on Linux and Solaris. They're still very useful. On the other hand, on Windows, these tools exist. But any one who has downloaded MS's own klist.exe will find himself confused all the time: Sun's klist.exe shows ticket cache from the %HOME%/krbccc_xxx file, and MS's klist.exe shows the LSA cache, totally different content.