On 1/3/20 1:06 PM, Jeffrey T. Hutzelman wrote: > Rather than making complex changes to the protocol, why not switch to > directional addresses? Certainly the client and server would have to agree on > this, but for kprop, a command-line switch would be sufficient.
I was considering a change like https://github.com/krb5/krb5/commit/b91da5a4c7efc189dcfe57c4de2a8e8673102295which is only complicated in the analysis. And on further consideration, removing kpropd's check of the client address should clearly be safe--kpropd only receives one KRB-SAFE message, before it sends anything to the client. We never implemented directional addresses. It's possible that they would be trivial to implement. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
