Password changing from behind a NAT
hartmans at MIT.EDU
Mon Oct 20 11:34:14 EDT 2003
>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
Ken> I'm wondering if anyone has noticed that password changing
Ken> fails from behind a NAT? This happens because the password
Ken> changing protocol uses KRB_PRIV, which requires a source
Ken> address, which always ends up failing if you're behind a NAT.
Ken> The only obvious solution I see is to make krb_rd_priv()
Ken> ignore the source address in a KRB_PRIV. Code-wise, this is
Ken> easy; I'm just wondering if anyone has any suggestions on the
Ken> best way to do this in terms of the API.
We do not consider this a solution because of the reflection problems.
Pre-clarifications, krb_priv is inherently nat unfriendly.
I don't think we would accept a patch to do this.
My recommendation would be to implement directional address support on
the server all the time, and to cause clients to send directional
addresses if they notice they are using a private address and talking
to something on a public address. Long term, we can always use
directional addresses, but that creates interop problems now.
More information about the krbdev