524 and NAT

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Jan 16 11:06:00 EST 2003

>> >> At one point I hacked localaddr.c to add a proxy_gateway field to
>> >> krb5.conf ala NCSA's patch for their Kerberos distro.

That's actually a patch we gave to NCSA originally, just FYI.

>> >>With a cable
>> >> modem it's easy enough to manually alter krb5.conf on the relatively
>> >> rare occasions that the IP changes.
>> but having the krb524d treat a special value (like
>> as use the address this came in on (i.e. the public NAT address).
>That would work fine, but one caveat is that it would weaken the
>security by allowing any cracked k5 ticket for a specific set of
>addresses to be converted to a k4 ticket for any address.

Sigh.  Let me give you my opinion, based on years of experience: it's
not worth the trouble.

I tried for years to work around the NAT problem.  Basically, having
a user modifying their krb5.conf (or equivalant) just sucks.  As you
have noted, there is no good way for someone to discover their NATted
address, at least not one that provides no more security than having
an addressless ticket.

Consider these following points:

- The IP address in a Kerberos ticket is not part of the fundamental security
  model of Kerberos.  It's just an additional check.

- If you have forwardable tickets (very likely), then an attacker that manages
  to steal a ticket on a particular machine can very easily forward it
  to any machine he wants.

- We're ditching the proxy_gateway option after years of trying it, and
  are simply going to addressless tickets.

Just my $0.02.


More information about the krbdev mailing list