I'm still in the process of getting my app and server up and running with kerberos, so I can't test this yet, but the code for mk_priv/rd_priv and mk_safe/rd_safe seems to want addresses set on the auth_context, and all the samples show various permutations of this.
I'm doing NAT traversal/punchthrough potentially on both sides of the connection, maybe even with a relay server in the middle for really bad cases, so there are a lot of potential addresses in play here. Which addresses do I set in a NAT-heavy environment like this? It looks like the mk versions require a local address set, and the rd versions require the remote address set (presumably to the local address set when the mk is called?). I'm going to be sending safe/priv messages both directions... I'm doing full mutual authentication with subkeys in both directions to avoid the need for a replay cache, if that matters. I found a post[*] that said kerberos was moving away from addresses since they're not very secure, but the current code seems to require them for these functions at least. Thanks, Chris * http://mailman.mit.edu/pipermail/kerberos/2007-December/012743.html ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
