gssftpd and gss_acquire_cred
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Nov 16 21:36:37 EST 2009
>As I recall, the kpasswd situation runs up against the hard wall of
>KRB_PRIV requiring addresses. There are (in RFC 4120) "directional"
>addresses but there is no obvious (at least to me) way to negotiate
>them. If you have suggestions of how to backward-compatibly negotiate
>the use of directional addresses, I'd love to hear about it.
Well, since password-changing is semi-broken right now, I'm not sure
much negotiation is needed :-/
But seriously, it seems that there are a few obvious solutions:
- On the client side, try it with directional addresses; if you get the
"Incorrect net address" error, fall back to regular IP addresses.
- On the server, accept either.
>Convincing arguments about the safety of forgoing the address checks
>in the kpasswd case are also welcome.
Honestly, that's what I do. It has the added advantage of being a lot
less code.
In terms of a reflection attack, the change-pw payload includes an
AP-REQ for client->server and an AP-REP for the reply. I cannot
see a meaningful way for a reflection attack to succeed, but I'm willing
to be proven wrong.
--Ken
More information about the krbdev
mailing list