krb5 commit: Allow kprop over NATs
Greg Hudson
ghudson at mit.edu
Tue Jan 7 17:18:48 EST 2020
https://github.com/krb5/krb5/commit/775e496aac2650343ec20826b1ba7f6306a12f3c
commit 775e496aac2650343ec20826b1ba7f6306a12f3c
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Jan 3 18:17:09 2020 -0500
Allow kprop over NATs
In kpropd, don't set a remote address in the auth context, so that
propagation can work if the client address is changed by a NAT.
ticket: 8860 (new)
src/kprop/kpropd.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index 559b556..5622d56 100644
--- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c
@@ -135,7 +135,6 @@ static char *kdb5_util = KPROPD_DEFAULT_KDB5_UTIL;
static char *kerb_database = NULL;
static char *acl_file_name = KPROPD_ACL_FILE;
-static krb5_address *sender_addr;
static krb5_address *receiver_addr;
static const char *port = KPROP_SERVICE;
@@ -1190,10 +1189,6 @@ kerberos_authenticate(krb5_context context, int fd, krb5_principal *clientp,
krb5_keytab keytab = NULL;
char *name, etypebuf[100];
- /* Set recv_addr and send_addr. */
- sockaddr2krbaddr(context, my_sin->ss_family, (struct sockaddr *)my_sin,
- &sender_addr);
-
sin_length = sizeof(r_sin);
if (getsockname(fd, (struct sockaddr *)&r_sin, &sin_length)) {
com_err(progname, errno, _("while getting local socket address"));
@@ -1229,8 +1224,13 @@ kerberos_authenticate(krb5_context context, int fd, krb5_principal *clientp,
exit(1);
}
+ /*
+ * Do not set a remote address, to allow replication over a NAT that
+ * changes the client address. A reflection attack against kpropd is
+ * impossible because kpropd only sends one message at the end.
+ */
retval = krb5_auth_con_setaddrs(context, auth_context, receiver_addr,
- sender_addr);
+ NULL);
if (retval) {
syslog(LOG_ERR, _("Error in krb5_auth_con_setaddrs: %s"),
error_message(retval));
More information about the cvs-krb5
mailing list