It almost looks like I can just set 1.2.3.4:5 for the address of any host behind a NAT, since at that point the code doesn't actually talk to the internet. Is there a security implication for doing that, given that tickets have already moved away from containing addresses?
Thanks, Chris On 2011/08/03 00:11, Chris Hecker wrote: > > I'm still in the process of getting my app and server up and running > with kerberos, so I can't test this yet, but the code for > mk_priv/rd_priv and mk_safe/rd_safe seems to want addresses set on the > auth_context, and all the samples show various permutations of this. > > I'm doing NAT traversal/punchthrough potentially on both sides of the > connection, maybe even with a relay server in the middle for really bad > cases, so there are a lot of potential addresses in play here. Which > addresses do I set in a NAT-heavy environment like this? > > It looks like the mk versions require a local address set, and the rd > versions require the remote address set (presumably to the local address > set when the mk is called?). I'm going to be sending safe/priv messages > both directions... > > I'm doing full mutual authentication with subkeys in both directions to > avoid the need for a replay cache, if that matters. > > I found a post[*] that said kerberos was moving away from addresses > since they're not very secure, but the current code seems to require > them for these functions at least. > > Thanks, > Chris > > * http://mailman.mit.edu/pipermail/kerberos/2007-December/012743.html > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
