password change protocol implementation

[John Hascall]

> >      They never seemed that hard to me, but perhaps I'm
> >      missing some subtlety.  Certainly it was a lot less
> >      trouble than figuring out how to use that GSS glarp.

> >      I mean what's so hard about krb5_rd_priv(ctx, actx, &in, &out, NULL);

> Sure, _that_ actual function call isn't hard.  It's the tons of crap you have
> to set up to get to that point. For example ...
> 
> 	krb5_auth_con_init(ctx, &actx);

> 	krb5_auth_con_setflags(ctx, actx, KRB5_AUTH_CON_DO_SEQUENCE);
                [optional]
> 
> 	<< extract out the IP address of you and your peer, which is
> 	   really the big pain >>
> 	krb5_auth_con_setaddrs(ctx, actx, ...);
> 	And then there's the whole lossage that you really only want
> 	the "local" address on the mk_priv side, and you want the
> 	"remote" address on the rd_priv side.

          Ick.  Try just:
            krb5_auth_con_genaddrs(ctx, actx, fd, flags);

> So, now ... let's throw in a multihomed server.  Let's also throw in
> a connectionless protocol.  And if you're behind a NAT ...

          I don't see how multihoming makes it harder,
          and yes, you'd have to recvfrom if connectionless.

>> But NATs are evil and IPv6 will make them go away, right? (*pleads*)  :)
> Hey, I hope so too, but in the meantime ...


John