Password changing from behind a NAT

Sam Hartman hartmans at MIT.EDU
Mon Oct 20 11:34:14 EDT 2003

>>>>> "Ken" == Ken Hornstein <kenh at> writes:

    Ken> I'm wondering if anyone has noticed that password changing
    Ken> fails from behind a NAT?  This happens because the password
    Ken> changing protocol uses KRB_PRIV, which requires a source
    Ken> address, which always ends up failing if you're behind a NAT.

    Ken> The only obvious solution I see is to make krb_rd_priv()
    Ken> ignore the source address in a KRB_PRIV.  Code-wise, this is
    Ken> easy; I'm just wondering if anyone has any suggestions on the
    Ken> best way to do this in terms of the API.
We do not consider this a solution because of the reflection problems.
Pre-clarifications, krb_priv is inherently nat unfriendly.

I don't think we would accept a patch to do this.

My recommendation would be to implement directional address support on
the server all the time, and to cause clients to send directional
addresses if they notice they are using a private address and talking
to something on a public address.  Long term, we can always use
directional addresses, but that creates interop problems now.

More information about the krbdev mailing list