password change protocol implementation

Ken Hornstein kenh at
Fri Feb 13 18:03:13 EST 2004

>      They never seemed that hard to me, but perhaps I'm
>      missing some subtlety.  Certainly it was a lot less
>      trouble than figuring out how to use that GSS glarp.
>      I mean what's so hard about krb5_rd_priv(ctx, actx, &in, &out, NULL);

Sure, _that_ actual function call isn't hard.  It's the tons of crap you have
to set up to get to that point. For example ...

	krb5_auth_con_init(ctx, &actx);
	krb5_auth_con_setflags(ctx, actx, KRB5_AUTH_CON_DO_SEQUENCE);

	<< extract out the IP address of you and your peer, which is
	   really the big pain >>

	krb5_auth_con_setaddrs(ctx, actx, ...);

	And then there's the whole lossage that you really only want
	the "local" address on the mk_priv side, and you want the
	"remote" address on the rd_priv side.

So, now ... let's throw in a multihomed server.  Let's also throw in
a connectionless protocol.  And if you're behind a NAT ...

>> - If you use them today, your protocol won't work from behind a NAT (hence
>>   the reason the stock MIT code doesn't support password changing from
>>   behind a NAT).
>      But NATs are evil and IPv6 will make them go away, right? (*pleads*)  :)

Hey, I hope so too, but in the meantime ...


More information about the krbdev mailing list