[38656] in Kerberos
Re: kprop with multiple or NATted IP address
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Jan 3 15:36:56 2020
To: "Jeffrey T. Hutzelman" <jhutz@cmu.edu>,
"kerberos@mit.edu"
<kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <c1378fea-77c5-fef3-19ac-ef6ad4f7bd22@mit.edu>
Date: Fri, 3 Jan 2020 15:36:01 -0500
MIME-Version: 1.0
In-Reply-To: <0490bbef1e52425d89fc3a28ecd308f3@cmu.edu>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 1/3/20 1:06 PM, Jeffrey T. Hutzelman wrote:
> Rather than making complex changes to the protocol, why not switch to directional addresses? Certainly the client and server would have to agree on this, but for kprop, a command-line switch would be sufficient.
I was considering a change like
https://github.com/krb5/krb5/commit/b91da5a4c7efc189dcfe57c4de2a8e8673102295which
is only complicated in the analysis. And on further consideration,
removing kpropd's check of the client address should clearly be
safe--kpropd only receives one KRB-SAFE message, before it sends
anything to the client.
We never implemented directional addresses. It's possible that they
would be trivial to implement.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
