password change protocol implementation
john at iastate.edu
Fri Feb 13 18:15:49 EST 2004
> > They never seemed that hard to me, but perhaps I'm
> > missing some subtlety. Certainly it was a lot less
> > trouble than figuring out how to use that GSS glarp.
> > I mean what's so hard about krb5_rd_priv(ctx, actx, &in, &out, NULL);
> Sure, _that_ actual function call isn't hard. It's the tons of crap you have
> to set up to get to that point. For example ...
> krb5_auth_con_init(ctx, &actx);
> krb5_auth_con_setflags(ctx, actx, KRB5_AUTH_CON_DO_SEQUENCE);
> << extract out the IP address of you and your peer, which is
> really the big pain >>
> krb5_auth_con_setaddrs(ctx, actx, ...);
> And then there's the whole lossage that you really only want
> the "local" address on the mk_priv side, and you want the
> "remote" address on the rd_priv side.
Ick. Try just:
krb5_auth_con_genaddrs(ctx, actx, fd, flags);
> So, now ... let's throw in a multihomed server. Let's also throw in
> a connectionless protocol. And if you're behind a NAT ...
I don't see how multihoming makes it harder,
and yes, you'd have to recvfrom if connectionless.
>> But NATs are evil and IPv6 will make them go away, right? (*pleads*) :)
> Hey, I hope so too, but in the meantime ...
More information about the krbdev