fetch 4.0 with kerberos and apple airport network

Alexandra Ellwood lxs at MIT.EDU
Tue Aug 27 10:33:00 EDT 2002

>The original K4 spec (at least any that I have seen) would have you 
>believe that K4 will not work from behind a NAT.  In fact, we could 
>argue that a properly implemented K4 service would absolutely not 
>work  from behind a NAT.   Fact is, many K4 services DO work from 
>behind a  NAT, including the Ticket Granting Service itself!    In 
>fact, I am  sending this message from Apple's Mail.app program under 
>Jaguar from  behind  NAT and it works just fine.    I've also used 
>telnet and a slew  of Cornell "in house" kerberized applications 
>without issue.   The only  kerberized service I've come across which 
>did not work from behind a  NAT was the kerberized CVS service!  I 
>haven't tried ftp, so I can't  speak for that service...

The reason you can get TGTs is because most sites have turned off the 
address checking requirement in their KDCs.  It's a compile-time 

Services such as kpop and klpr work because they're using krb4 in the 
stupidest way possible.  Unfortunately these services have the 
problem that you are authenticated to the server, but the server 
isn't authenticated to you.  So your client can easily be tricked 
into sending data to a malicious server.

Mutual-auth servers do perform address checking and do not work behind a NAT.

Of course since the krb4 "address checking" is just a direction bit 
(representing the sign of the difference between the client and 
server addresses in VAX byte order), you actually have a reasonable 
chance of mutual auth working too.  You just have to get lucky with 
your NAT addresses (or choose carefully).

Given that the problem is subtle and reasonably complex, from a help 
desk standpoint it's best to tell users that NATs aren't supported by 
Kerberos 4.  Otherwise you run the risk of frustrating them with 
seemingly random behavior.

Alexandra Ellwood                                               <lxs at mit.edu>
MIT Information Systems                               http://mit.edu/lxs/www/

More information about the krbdev mailing list