Password changing from behind a NAT
kenh at cmf.nrl.navy.mil
Mon Oct 20 12:30:33 EDT 2003
>The kpasswd protocol may be safe from reflections. I'm very
>uncomfortable with breaking the krb_priv abstraction or introducing a
>general security problem for krb_priv.
No argument there; I was thinking of a specific (maybe even internal)
API that allowed the caller to disable the address checking for
krb_priv. That way applications and protocols that used KRB-PRIV would
still get the same address checking by default. I don't know if that
should be something like krb5_auth_con_setflags(), or whatever. Since
it's likely that y'all won't take the patches back, I guess the
question is moot.
More information about the krbdev