"forwarded" kpasswd changes

Greg Hudson ghudson at mit.edu
Thu Jun 4 22:09:20 EDT 2015


On 06/04/2015 09:45 PM, Ken Hornstein wrote:
> I haven't tried that combination, but from memory the issue is that
> the kpasswd protocol uses a KRB-PRIV message and the issue was that
> you can't omit an IP address from it (let me check ... yes, the sender's
> address is not optional in a KRB-PRIV message).  You could run kpasswd
> under a debugger to figure out what the "wrong" address is.  But I suspect
> it would be just easier to modify the MIT client to ignore the IP address
> on the KRB-PRIV on the reply message.

Yes; we did that for 1.13.  We had already made the corresponding change
to the server in 1.10.

http://krbdev.mit.edu/rt/Ticket/Display.html?id=7886
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6979

>> The kpasswd protocol is horrible.
> 
> +1

I don't think of it as all that bad, but we should probably try it over
TCP first, as the UDP protocol is subject to erroneously treating
retransmits as replays.


More information about the Kerberos mailing list