[krbdev.mit.edu #3427] NAT causes password change to fail with Bad Address
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Fri Jan 27 23:18:05 EST 2006
Hi. I'm very uncomfortable accepting this patch. I definitely would
not want to accept a patch that always ignored the address for
krb5_rd_priv, and it would require significant convincing to decide
that a patch targeted at the change password protocol would be a good
idea.
Not checking the source address is a direct violation of RFC 4120.
The reason the requirement is there is to avoid reflection attacks.
It's not clear to me that the password protocol is vulnerable to
reflection attacks however.
The right "fix" for this would be to implement directional addresses
(see RFC 4120) and to implement support for them in the change
password protocol.
More information about the krb5-bugs
mailing list