Is there a reason you are using mk|rd_priv|safe instead of gss? On 8/3/2011 3:47 AM, Chris Hecker wrote: > > It almost looks like I can just set 1.2.3.4:5 for the address of any > host behind a NAT, since at that point the code doesn't actually talk to > the internet. Is there a security implication for doing that, given > that tickets have already moved away from containing addresses? > > Thanks, > Chris > > > On 2011/08/03 00:11, Chris Hecker wrote: >> >> I'm still in the process of getting my app and server up and running >> with kerberos, so I can't test this yet, but the code for >> mk_priv/rd_priv and mk_safe/rd_safe seems to want addresses set on the >> auth_context, and all the samples show various permutations of this. >> >> I'm doing NAT traversal/punchthrough potentially on both sides of the >> connection, maybe even with a relay server in the middle for really bad >> cases, so there are a lot of potential addresses in play here. Which >> addresses do I set in a NAT-heavy environment like this? >> >> It looks like the mk versions require a local address set, and the rd >> versions require the remote address set (presumably to the local address >> set when the mk is called?). I'm going to be sending safe/priv messages >> both directions... >> >> I'm doing full mutual authentication with subkeys in both directions to >> avoid the need for a replay cache, if that matters. >> >> I found a post[*] that said kerberos was moving away from addresses >> since they're not very secure, but the current code seems to require >> them for these functions at least. >> >> Thanks, >> Chris >> >> * http://mailman.mit.edu/pipermail/kerberos/2007-December/012743.html >> >> > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos
signature.asc
Description: OpenPGP digital signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
