kprop with multiple or NATted IP address

Jerry Shipman jes59 at cornell.edu
Wed Jan 27 16:07:26 EST 2016 

Hello,

It’s me again, who was trying to kprop through a NAT a month ago.

Hypothetically speaking… how bad of an idea would it be to make a cron job that `scp`s the database file to the slave KDC, or something like that? Does the slave KDC daemon need to restart after the file is updated, maybe? Or is this significantly less safe than using kprop? I think I would be relying on ssh instead of kerberos for the confidentiality and integrity. But I do that whenever I log into the machine anyway. I think I may risk getting the file in the middle of a write (so some records could be corrupted in the copy). It seems like this would be a bad idea; just checking.

Thanks again,
Jerry




> On Dec 24, 2015, at 12:21 AM, Greg Hudson <ghudson at mit.edu> wrote:
> 
> On 12/23/2015 03:50 PM, Jerry Shipman wrote:
>> Is there a way to do what I’m trying to do?
>> Or, is there a reason that it is dangerous to avoid verifying that IP match, and I shouldn’t try to work around it?
> 
> The only really useful purpose of checking addresses is preventing
> reflection attacks, where an attacker takes a KRB-PRIV or KRB-SAFE
> message from one of the parties and send it back to them as if it came
> from the other party.  Many protocols aren't susceptible to reflection
> attacks because they don't use similar formats for requests and
> responses.  After verifying that the kprop protocol isn't vulnerable, we
> could probably make changes similar to the ones we made to kpasswd to
> allow it to work over NATs.
> 
> (Protocols using GSS don't have this problem because GSS tokens only use
> direction bits, not addresses.  Well, unless they use IP address channel
> bindings, which isn't common.)

> On Dec 23, 2015, at 3:50 PM, jes59 <jes59 at cornell.edu> wrote:
> 
> Hello,
> 
> I’m trying to set up an additional slave KDC in a new location (different network), and I’m having trouble kprop’ing the database.
> 
> There is some tricky networking / routing going on between the network where the master KDC is and the network where the slave will be, that I am in the situation of needing to work with. 
> 
> I can go into that more if necessary, but I think the salient point is that each machine has multiple network interfaces, one with a public IP and one with a private IP (10.x.y.z). I am trying to use the private IPs when I kprop the database to the slave. (I am convinced that I eventually got this working with an iptables postrouting snat rule; I see the 10space address in logs, etc.)
> 
> I am seeing this error on the slave when I try to push the database from the master:
>  kpropd: Incorrect net address while decoding database size from client
> From the master side, it looks like:
>  kprop: Connection reset by peer while sending database block starting at 0
> 
> I think that kpropd is trying to look up the hostname of the master in DNS, and seeing the public IP, instead of the private IP which the connection is coming from, and then aborting because of that mismatch (or something like that).
> On a lark I tried adding the master’s hostname with its private address to /etc/hosts on the slave, but it didn’t immediately seem to help.
> 
> Is there a way to do what I’m trying to do?
> Or, is there a reason that it is dangerous to avoid verifying that IP match, and I shouldn’t try to work around it?
> 
> Thank you for your help,
> Jerry Shipman

More information about the Kerberos mailing list