kprop with multiple or NATted IP address

Greg Hudson ghudson at mit.edu
Fri Jan 3 15:36:01 EST 2020


On 1/3/20 1:06 PM, Jeffrey T. Hutzelman wrote:
> Rather than making complex changes to the protocol, why not switch to directional addresses? Certainly the client and server would have to agree on this, but for kprop, a command-line switch would be sufficient.

I was considering a change like
https://github.com/krb5/krb5/commit/b91da5a4c7efc189dcfe57c4de2a8e8673102295which
is only complicated in the analysis.  And on further consideration,
removing kpropd's check of the client address should clearly be
safe--kpropd only receives one KRB-SAFE message, before it sends
anything to the client.

We never implemented directional addresses.  It's possible that they
would be trivial to implement.


More information about the Kerberos mailing list