krb5_rd_cred checks IP address.

Sam Hartman hartmans at MIT.EDU
Thu Feb 7 14:36:01 EST 2002

amu recently filed a Debian bug against my ssh-krb5 package
complaining that when he forwarded addressless tickets from behind a
NAT using ssh protocol version 1 to a new server, it didn't work.  It
turns out all of those qualifiers are necessary to reproduce the bug;
change one and it works fine.  Well, OK, if you get addressful tickets
behind a NAT, it fails much earlier

Here's the problem.  Our implementation of krb5_rd_cread checks the
source address to make sure it matches the source address in the
KRB-CRED structure.  It turns out it only does this if the krb-cred
structure is encrypted.  It turns out that you'll only encrypt the
structure under the ssh v1 forwarding mechanism when a new client
talks to a new server.

I'm not really sure what good this check does other than to screw over
NAT users.  Even if we pretend that we actually still care about IP
address authentication what is the harm of accepting tickets from
someone provided that they work?

I'm really not sure how to go about fixing this problem.  I could see
solving in several ways and am not sure which one the community
prefers.  Do we remove the check on the source address?  Do we do
something special if you are forwarding addressless tickets?  

More information about the krbdev mailing list