password change protocol implementation

Ken Hornstein kenh at
Fri Feb 13 15:37:49 EST 2004

>>>>>> "Ken" == Ken Hornstein <kenh at> writes:
>    Ken> all you need for directional address support is the
>    Ken> approrpriate #ifdef in krb5.h - it looks like everything else
>    Ken> is generic enough to support it).

Sigh.  I mean #define, of course.  E.g.:

#define ADDRTYPE_DIRECTION      0x0003

>Quoting clarifications:
>       Directional addresses MUST only be used for the sender address
>       field in the KRB_SAFE or KRB_PRIV messages. They MUST NOT be used
>       as a ticket address or in a KRB_AP_REQ message. This address type
>       SHOULD only be used in situations where the sending party knows
>       that the receiving party supports the address type. This generally
>       means that directional addresses may only be used when the
>       application protocol requires their support. 
>So basically the password server shouldn't be using directional
>addresses at all.

This presents an interesting problem, doesn't it?  Back when we had
a discussion about password changing from behind a NAT, the answer
to my issue regarding this was "Use the directional address type".
Now it seems that _isn't_ the right answer.

>If you can get Microsoft and Heimdal to agree that
>by the time they have people using change pasword for IPV6 they will
>have directional address support, then it's ok to use for IPV6.

Comments from the MS/Heimdal camp?

>If you know that it will fail for IPV4--for example because you are a
>client and have a private address for yourself and a global address
>for the KDC, then using directional addresses is probably OK.
>It might also be reasonable to try without directional addresses for
>IPV4 and then retry with directional addresses.

Hm, that may be a better option.  I'll work on that and see how feasible
that is.  If you get a reasonable error back, it should be okay.


More information about the krbdev mailing list