password change protocol implementation

Sam Hartman hartmans at MIT.EDU
Fri Feb 13 15:52:26 EST 2004

>>>>> "Ken" == Ken Hornstein <kenh at> writes:

    >>>>>>> "Ken" == Ken Hornstein <kenh at> writes:
    Ken> all you need for directional address support is the
    Ken> approrpriate #ifdef in krb5.h - it looks like everything else
    Ken> is generic enough to support it).
    >>  #ifdef?

    Ken> Sigh.  I mean #define, of course.  E.g.:

You'd also need to add code to the comparison functions so that
directional addresses compare correctly and are checked.

    Ken> #define ADDRTYPE_DIRECTION 0x0003
    Ken> we had a discussion about password changing from behind a
    Ken> NAT, the answer to my issue regarding this was "Use the
    Ken> directional address type".  Now it seems that _isn't_ the
    Ken> right answer.

It certainly is the right answer for new password changing protocol.

It's probably your best answer for behind a NAT; it is still a wrong

    >> If you can get Microsoft and Heimdal to agree that by the time
    >> they have people using change pasword for IPV6 they will have
    >> directional address support, then it's ok to use for IPV6.

    Ken> Comments from the MS/Heimdal camp?

I don't think they read krbdev.

    >> If you know that it will fail for IPV4--for example because you
    >> are a client and have a private address for yourself and a
    >> global address for the KDC, then using directional addresses is
    >> probably OK.
    >> It might also be reasonable to try without directional
    >> addresses for IPV4 and then retry with directional addresses.

    Ken> Hm, that may be a better option.  I'll work on that and see
    Ken> how feasible that is.  If you get a reasonable error back, it
    Ken> should be okay.

Yes.  I hope this option works.

More information about the krbdev mailing list