(mk|rd)_(priv|safe) and NAT
Chris Hecker
checker at d6.com
Wed Aug 3 18:20:32 EDT 2011
> Yes, you will need separate auth contexts if you want to use
> sequence numbers on some messages but not others.
That's what I figured. I'll have to mk_req/rd_req/mk_rep/rd_rep both on
the ordered and unordered channels (which, sadly, are on the same UDP
socket, so it's kind of silly...) to generate the auth_contexts
correctly, right?
Chris
On 2011/08/03 15:13, Greg Hudson wrote:
> On Wed, 2011-08-03 at 17:47 -0400, Chris Hecker wrote:
>> Right, but I'm going to force the replay cache off and use subkeys like
>> we discussed in the other thread. I assume I can't use the do-sequence
>> flag on an unordered/unreliable channel? So, if I want to mk_priv/safe
>> on that channel, will I need another auth_context?
>
> Yes, you will need separate auth contexts if you want to use sequence
> numbers on some messages but not others.
>
> For the unordered messages, since you are using neither sequence numbers
> nor a replay cache, you'll need to address replays at the application
> protocol layer.
>
>
>
More information about the Kerberos
mailing list