[28911] in Kerberos
Re: Kerberos and NAT issue
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Thu Dec 13 14:17:15 2007
In-Reply-To: <750489.82693.qm@web26511.mail.ukl.yahoo.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Message-Id: <AD2B9395-7BE1-441E-AB6B-967FCF1DE8D9@mit.edu>
From: Ken Raeburn <raeburn@mit.edu>
Date: Thu, 13 Dec 2007 14:16:46 -0500
To: Stefano veltri <veltri_stefano@yahoo.it>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Dec 13, 2007, at 07:40, Stefano veltri wrote:
> Hi all,
> I have a Kerberos v5 MIT installed in a large enviroment.
> I'm experiencing a problem in a ISP environment when NAT is
> involved in kerberos authentication.
> HOST IP included in kerberos ticket isn't recognized from
> kerberized services (SSHD) because NAT!
>
> Is it possibile to solve this problem? Does exist a patch or
> workaround (secure, no -A param in kinit ;) )
Given that addresses can be forged in some circumstances, the use of
addresses doesn't add a great deal of security, and omitting them
isn't much of a security problem. That's why we default to not
including addresses these days.
There are a few message types where the use of an address is
unconditional; these message types (including password-changing
requests, I believe) won't work from behind a NAT. (The address is
included in the message, and checked by the server; it's not included
in the Kerberos tickets.) There's a workaround for this in the
latest spec at the IETF, but we haven't implemented it yet.
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
