password change protocol implementation
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Feb 13 18:03:13 EST 2004
> They never seemed that hard to me, but perhaps I'm
> missing some subtlety. Certainly it was a lot less
> trouble than figuring out how to use that GSS glarp.
>
> I mean what's so hard about krb5_rd_priv(ctx, actx, &in, &out, NULL);
Sure, _that_ actual function call isn't hard. It's the tons of crap you have
to set up to get to that point. For example ...
krb5_auth_con_init(ctx, &actx);
krb5_auth_con_setflags(ctx, actx, KRB5_AUTH_CON_DO_SEQUENCE);
<< extract out the IP address of you and your peer, which is
really the big pain >>
krb5_auth_con_setaddrs(ctx, actx, ...);
And then there's the whole lossage that you really only want
the "local" address on the mk_priv side, and you want the
"remote" address on the rd_priv side.
So, now ... let's throw in a multihomed server. Let's also throw in
a connectionless protocol. And if you're behind a NAT ...
>> - If you use them today, your protocol won't work from behind a NAT (hence
>> the reason the stock MIT code doesn't support password changing from
>> behind a NAT).
>
> But NATs are evil and IPv6 will make them go away, right? (*pleads*) :)
Hey, I hope so too, but in the meantime ...
--Ken
More information about the krbdev
mailing list