(mk|rd)_(priv|safe) and NAT

Chris Hecker checker at d6.com
Wed Aug 3 03:47:38 EDT 2011


It almost looks like I can just set 1.2.3.4:5 for the address of any 
host behind a NAT, since at that point the code doesn't actually talk to 
the internet.  Is there a security implication for doing that, given 
that tickets have already moved away from containing addresses?

Thanks,
Chris


On 2011/08/03 00:11, Chris Hecker wrote:
>
> I'm still in the process of getting my app and server up and running
> with kerberos, so I can't test this yet, but the code for
> mk_priv/rd_priv and mk_safe/rd_safe seems to want addresses set on the
> auth_context, and all the samples show various permutations of this.
>
> I'm doing NAT traversal/punchthrough potentially on both sides of the
> connection, maybe even with a relay server in the middle for really bad
> cases, so there are a lot of potential addresses in play here. Which
> addresses do I set in a NAT-heavy environment like this?
>
> It looks like the mk versions require a local address set, and the rd
> versions require the remote address set (presumably to the local address
> set when the mk is called?). I'm going to be sending safe/priv messages
> both directions...
>
> I'm doing full mutual authentication with subkeys in both directions to
> avoid the need for a replay cache, if that matters.
>
> I found a post[*] that said kerberos was moving away from addresses
> since they're not very secure, but the current code seems to require
> them for these functions at least.
>
> Thanks,
> Chris
>
> * http://mailman.mit.edu/pipermail/kerberos/2007-December/012743.html
>
>



More information about the Kerberos mailing list