password change protocol implementation
kenh at cmf.nrl.navy.mil
Fri Feb 13 15:37:49 EST 2004
>>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
> Ken> all you need for directional address support is the
> Ken> approrpriate #ifdef in krb5.h - it looks like everything else
> Ken> is generic enough to support it).
Sigh. I mean #define, of course. E.g.:
#define ADDRTYPE_DIRECTION 0x0003
> Directional addresses MUST only be used for the sender address
> field in the KRB_SAFE or KRB_PRIV messages. They MUST NOT be used
> as a ticket address or in a KRB_AP_REQ message. This address type
> SHOULD only be used in situations where the sending party knows
> that the receiving party supports the address type. This generally
> means that directional addresses may only be used when the
> application protocol requires their support.
>So basically the password server shouldn't be using directional
>addresses at all.
This presents an interesting problem, doesn't it? Back when we had
a discussion about password changing from behind a NAT, the answer
to my issue regarding this was "Use the directional address type".
Now it seems that _isn't_ the right answer.
>If you can get Microsoft and Heimdal to agree that
>by the time they have people using change pasword for IPV6 they will
>have directional address support, then it's ok to use for IPV6.
Comments from the MS/Heimdal camp?
>If you know that it will fail for IPV4--for example because you are a
>client and have a private address for yourself and a global address
>for the KDC, then using directional addresses is probably OK.
>It might also be reasonable to try without directional addresses for
>IPV4 and then retry with directional addresses.
Hm, that may be a better option. I'll work on that and see how feasible
that is. If you get a reasonable error back, it should be okay.
More information about the krbdev