password change protocol implementation
Sam Hartman
hartmans at MIT.EDU
Fri Feb 13 15:52:26 EST 2004
>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
>>>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
>>
Ken> all you need for directional address support is the
Ken> approrpriate #ifdef in krb5.h - it looks like everything else
Ken> is generic enough to support it).
>> #ifdef?
Ken> Sigh. I mean #define, of course. E.g.:
You'd also need to add code to the comparison functions so that
directional addresses compare correctly and are checked.
Ken> #define ADDRTYPE_DIRECTION 0x0003
Ken> we had a discussion about password changing from behind a
Ken> NAT, the answer to my issue regarding this was "Use the
Ken> directional address type". Now it seems that _isn't_ the
Ken> right answer.
It certainly is the right answer for new password changing protocol.
It's probably your best answer for behind a NAT; it is still a wrong
answer.
>> If you can get Microsoft and Heimdal to agree that by the time
>> they have people using change pasword for IPV6 they will have
>> directional address support, then it's ok to use for IPV6.
Ken> Comments from the MS/Heimdal camp?
I don't think they read krbdev.
>> If you know that it will fail for IPV4--for example because you
>> are a client and have a private address for yourself and a
>> global address for the KDC, then using directional addresses is
>> probably OK.
>>
>> It might also be reasonable to try without directional
>> addresses for IPV4 and then retry with directional addresses.
Ken> Hm, that may be a better option. I'll work on that and see
Ken> how feasible that is. If you get a reasonable error back, it
Ken> should be okay.
Yes. I hope this option works.
More information about the krbdev
mailing list