gssftpd and gss_acquire_cred

Ken Hornstein kenh at
Mon Nov 16 21:36:37 EST 2009

>As I recall, the kpasswd situation runs up against the hard wall of
>KRB_PRIV requiring addresses.  There are (in RFC 4120) "directional"
>addresses but there is no obvious (at least to me) way to negotiate
>them.  If you have suggestions of how to backward-compatibly negotiate
>the use of directional addresses, I'd love to hear about it.

Well, since password-changing is semi-broken right now, I'm not sure
much negotiation is needed :-/

But seriously, it seems that there are a few obvious solutions:

- On the client side, try it with directional addresses; if you get the
  "Incorrect net address" error, fall back to regular IP addresses.

- On the server, accept either.

>Convincing arguments about the safety of forgoing the address checks
>in the kpasswd case are also welcome.

Honestly, that's what I do.  It has the added advantage of being a lot
less code.

In terms of a reflection attack, the change-pw payload includes an
AP-REQ for client->server and an AP-REP for the reply.  I cannot
see a meaningful way for a reflection attack to succeed, but I'm willing
to be proven wrong.


More information about the krbdev mailing list