[37073] in Kerberos
Re: "forwarded" kpasswd changes
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Jun 4 22:09:36 2015
Message-ID: <557104D0.6090503@mit.edu>
Date: Thu, 04 Jun 2015 22:09:20 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
In-Reply-To: <201506050145.t551jkSl006177@hedwig.cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 06/04/2015 09:45 PM, Ken Hornstein wrote:
> I haven't tried that combination, but from memory the issue is that
> the kpasswd protocol uses a KRB-PRIV message and the issue was that
> you can't omit an IP address from it (let me check ... yes, the sender's
> address is not optional in a KRB-PRIV message). You could run kpasswd
> under a debugger to figure out what the "wrong" address is. But I suspect
> it would be just easier to modify the MIT client to ignore the IP address
> on the KRB-PRIV on the reply message.
Yes; we did that for 1.13. We had already made the corresponding change
to the server in 1.10.
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7886
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6979
>> The kpasswd protocol is horrible.
>
> +1
I don't think of it as all that bad, but we should probably try it over
TCP first, as the UDP protocol is subject to erroneously treating
retransmits as replays.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
