kprop with multiple or NATted IP address
Greg Hudson
ghudson at mit.edu
Fri Jan 3 15:36:01 EST 2020
On 1/3/20 1:06 PM, Jeffrey T. Hutzelman wrote:
> Rather than making complex changes to the protocol, why not switch to directional addresses? Certainly the client and server would have to agree on this, but for kprop, a command-line switch would be sufficient.
I was considering a change like
https://github.com/krb5/krb5/commit/b91da5a4c7efc189dcfe57c4de2a8e8673102295which
is only complicated in the analysis. And on further consideration,
removing kpropd's check of the client address should clearly be
safe--kpropd only receives one KRB-SAFE message, before it sends
anything to the client.
We never implemented directional addresses. It's possible that they
would be trivial to implement.
More information about the Kerberos
mailing list