"forwarded" kpasswd changes

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Jun 4 21:45:46 EDT 2015


>I don't know what causes this, but it's definitely not you.  I've seen
>this behavior for years.  The client appears to be complaining about the
>response from the server, which it thinks has the wrong net address (or
>something; I was always murky on the details), but the change goes through
>anyway.

I haven't tried that combination, but from memory the issue is that
the kpasswd protocol uses a KRB-PRIV message and the issue was that
you can't omit an IP address from it (let me check ... yes, the sender's
address is not optional in a KRB-PRIV message).  You could run kpasswd
under a debugger to figure out what the "wrong" address is.  But I suspect
it would be just easier to modify the MIT client to ignore the IP address
on the KRB-PRIV on the reply message.

>The kpasswd protocol is horrible.

+1

--Ken


More information about the Kerberos mailing list