Kerberos and NAT issue
Ken Raeburn
raeburn at MIT.EDU
Thu Dec 13 14:16:46 EST 2007
On Dec 13, 2007, at 07:40, Stefano veltri wrote:
> Hi all,
> I have a Kerberos v5 MIT installed in a large enviroment.
> I'm experiencing a problem in a ISP environment when NAT is
> involved in kerberos authentication.
> HOST IP included in kerberos ticket isn't recognized from
> kerberized services (SSHD) because NAT!
>
> Is it possibile to solve this problem? Does exist a patch or
> workaround (secure, no -A param in kinit ;) )
Given that addresses can be forged in some circumstances, the use of
addresses doesn't add a great deal of security, and omitting them
isn't much of a security problem. That's why we default to not
including addresses these days.
There are a few message types where the use of an address is
unconditional; these message types (including password-changing
requests, I believe) won't work from behind a NAT. (The address is
included in the message, and checked by the server; it's not included
in the Kerberos tickets.) There's a workaround for this in the
latest spec at the IETF, but we haven't implemented it yet.
Ken
More information about the Kerberos
mailing list