On Dec 13, 2007, at 07:40, Stefano veltri wrote: > Hi all, > I have a Kerberos v5 MIT installed in a large enviroment. > I'm experiencing a problem in a ISP environment when NAT is > involved in kerberos authentication. > HOST IP included in kerberos ticket isn't recognized from > kerberized services (SSHD) because NAT! > > Is it possibile to solve this problem? Does exist a patch or > workaround (secure, no -A param in kinit ;) )
Given that addresses can be forged in some circumstances, the use of addresses doesn't add a great deal of security, and omitting them isn't much of a security problem. That's why we default to not including addresses these days. There are a few message types where the use of an address is unconditional; these message types (including password-changing requests, I believe) won't work from behind a NAT. (The address is included in the message, and checked by the server; it's not included in the Kerberos tickets.) There's a workaround for this in the latest spec at the IETF, but we haven't implemented it yet. Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
