password change protocol implementation
Sam Hartman
hartmans at MIT.EDU
Fri Feb 13 15:17:42 EST 2004
>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
Ken> all you need for directional address support is the
Ken> approrpriate #ifdef in krb5.h - it looks like everything else
Ken> is generic enough to support it).
#ifdef?
Ken> Would MIT accept such a rewritten chpw client and server?
Yes, mod code quality concerns.
Ken> Hm, I can think of one "interesting" problem. How does one
Ken> migrate to directional address support for protocols that use
Ken> KRB_PRIV or KRB_SAFE? For IPv6, it's easy, but I'm not sure
Ken> how the chpw client can discover whether or not a server can
Ken> support a directional address bit for IPv4. I suppose the
Ken> implementation could only use the directional address type
Ken> for IPv6, but that seems sub-optimal.
Quoting clarifications:
Directional addresses MUST only be used for the sender address
field in the KRB_SAFE or KRB_PRIV messages. They MUST NOT be used
as a ticket address or in a KRB_AP_REQ message. This address type
SHOULD only be used in situations where the sending party knows
that the receiving party supports the address type. This generally
means that directional addresses may only be used when the
application protocol requires their support.
So basically the password server shouldn't be using directional
addresses at all. If you can get Microsoft and Heimdal to agree that
by the time they have people using change pasword for IPV6 they will
have directional address support, then it's ok to use for IPV6.
If you know that it will fail for IPV4--for example because you are a
client and have a private address for yourself and a global address
for the KDC, then using directional addresses is probably OK.
It might also be reasonable to try without directional addresses for
IPV4 and then retry with directional addresses.
More information about the krbdev
mailing list