kprop with multiple or NATted IP address

[Tom Yu]

Russ Allbery <eagle at eyrie.org> writes:

> Jerry Shipman <jes59 at cornell.edu> writes:
>
>> (I thought about that about 5 minutes after I sent the email — oops.)
>
>> I guess my question is: does kprop do anything other than: secrecy of
>> the data in transmission, integrity of the transmission, kdb5_util
>> dump/load ? Or can I really do the same thing in a cron job (or maybe 2,
>> one on each end) without missing anything important? I guess I would
>> lose out on the possibility of doing incremental propagation.
>
> You lose incremental propagation, but other than that, I'm pretty sure
> kprop/kpropd is just an authenticated copy of a dump and loading it on the
> other end.

The existence of kprop as an independent Kerberos-authenticated service
probably has its roots in a few historical factors that might no longer
be relevant for some deployments.  (I could be misremembering some of
these.)

The krb4 rcp program did not originally provide any encryption of the
file contents.  Neither did the krb4 rsh program that the rcp program
relies on.  These were less of a factor for krb5, but kprop remained an
independent program anyway.

Some particularly cautious operators wanted a minimum amount of attack
surface in a program that handles Kerberos database dumps.  The rcp
program required using rsh, a general-purpose remote shell program.
Also, there was not originally a capability to restrict which commands
the rsh daemon could execute for a given principal.

Having a special-purpose kprop program helps mitigate these risks.  This
program could also be written to avoid ever invoking a general-purpose
shell by hardcoding the names of the programs it runs.

The scp and ssh software consist of considerably more code than
Kerberos-enabled rcp and rsh, so they have a larger attack surface.  You
could reasonably decide that this is an acceptable risk in your
environment.

-Tom