password change protocol implementation

Sam Hartman hartmans at MIT.EDU
Fri Feb 13 15:17:42 EST 2004

>>>>> "Ken" == Ken Hornstein <kenh at> writes:

    Ken> all you need for directional address support is the
    Ken> approrpriate #ifdef in krb5.h - it looks like everything else
    Ken> is generic enough to support it).


    Ken> Would MIT accept such a rewritten chpw client and server?

Yes, mod code quality concerns.

    Ken> Hm, I can think of one "interesting" problem.  How does one
    Ken> migrate to directional address support for protocols that use
    Ken> KRB_PRIV or KRB_SAFE?  For IPv6, it's easy, but I'm not sure
    Ken> how the chpw client can discover whether or not a server can
    Ken> support a directional address bit for IPv4.  I suppose the
    Ken> implementation could only use the directional address type
    Ken> for IPv6, but that seems sub-optimal.

Quoting clarifications:
       Directional addresses MUST only be used for the sender address
       field in the KRB_SAFE or KRB_PRIV messages. They MUST NOT be used
       as a ticket address or in a KRB_AP_REQ message. This address type
       SHOULD only be used in situations where the sending party knows
       that the receiving party supports the address type. This generally
       means that directional addresses may only be used when the
       application protocol requires their support. 

So basically the password server shouldn't be using directional
addresses at all.  If you can get Microsoft and Heimdal to agree that
by the time they have people using change pasword for IPV6 they will
have directional address support, then it's ok to use for IPV6.

If you know that it will fail for IPV4--for example because you are a
client and have a private address for yourself and a global address
for the KDC, then using directional addresses is probably OK.

It might also be reasonable to try without directional addresses for
IPV4 and then retry with directional addresses.

More information about the krbdev mailing list