524 and NAT

Ben Creech bpcreech at eos.ncsu.edu
Thu Jan 16 01:00:01 EST 2003

On Thu, 2003-01-16 at 00:21, John Hascall wrote:
> I think that I'm leaning toward something like putting
> the option in krb5.conf like this:
> >> At one point I hacked localaddr.c to add a proxy_gateway field to
> >> krb5.conf ala NCSA's patch for their Kerberos distro.  With a cable
> >> modem it's easy enough to manually alter krb5.conf on the relatively
> >> rare occasions that the IP changes.
> but having the krb524d treat a special value (like
> as use the address this came in on (i.e. the public NAT address).

That would work fine, but one caveat is that it would weaken the
security by allowing any cracked k5 ticket for a specific set of
addresses to be converted to a k4 ticket for any address.

More information about the krbdev mailing list