rd_priv and NAT
Ken Hornstein
kenh at cmf.nrl.navy.mil
Thu Jan 26 17:42:32 EST 2006
>In the case where there is a NAT box between the client and the KDC
>KRB_PRIV responses can be rejected becuase the s-address address check
>in krb5_rd_priv_basic get upset (it beleives it sent the request to one
>address but the KDC inserted a differnet one in the reply). Since the
>message is encrypted the NAT box cannot mangle the addresses to make
>them right (as it would do in many other protocols). My specific case is
>a password change request which is carried in an exchange of PRIVs; but
>this is a general issue.
FWIW, I already made a flag to make the address check in rd_priv
conditional in my private source tree, for this very same reason. When
I looked at the password change protocol, I was able to convince myself
that it was not vulnerable to a reflection attack, so I felt it was okay.
--Ken
More information about the krbdev
mailing list