Re: kprop with multiple or NATted IP address

Wed, 27 Jan 2016 13:10:25 -0800 

Hello,

It’s me again, who was trying to kprop through a NAT a month ago.

Hypothetically speaking… how bad of an idea would it be to make a cron job that 
`scp`s the database file to the slave KDC, or something like that? Does the 
slave KDC daemon need to restart after the file is updated, maybe? Or is this 
significantly less safe than using kprop? I think I would be relying on ssh 
instead of kerberos for the confidentiality and integrity. But I do that 
whenever I log into the machine anyway. I think I may risk getting the file in 
the middle of a write (so some records could be corrupted in the copy). It 
seems like this would be a bad idea; just checking.

Thanks again,
Jerry




> On Dec 24, 2015, at 12:21 AM, Greg Hudson <ghud...@mit.edu> wrote:
> 
> On 12/23/2015 03:50 PM, Jerry Shipman wrote:
>> Is there a way to do what I’m trying to do?
>> Or, is there a reason that it is dangerous to avoid verifying that IP match, 
>> and I shouldn’t try to work around it?
> 
> The only really useful purpose of checking addresses is preventing
> reflection attacks, where an attacker takes a KRB-PRIV or KRB-SAFE
> message from one of the parties and send it back to them as if it came
> from the other party.  Many protocols aren't susceptible to reflection
> attacks because they don't use similar formats for requests and
> responses.  After verifying that the kprop protocol isn't vulnerable, we
> could probably make changes similar to the ones we made to kpasswd to
> allow it to work over NATs.
> 
> (Protocols using GSS don't have this problem because GSS tokens only use
> direction bits, not addresses.  Well, unless they use IP address channel
> bindings, which isn't common.)

> On Dec 23, 2015, at 3:50 PM, jes59 <je...@cornell.edu> wrote:
> 
> Hello,
> 
> I’m trying to set up an additional slave KDC in a new location (different 
> network), and I’m having trouble kprop’ing the database.
> 
> There is some tricky networking / routing going on between the network where 
> the master KDC is and the network where the slave will be, that I am in the 
> situation of needing to work with. 
> 
> I can go into that more if necessary, but I think the salient point is that 
> each machine has multiple network interfaces, one with a public IP and one 
> with a private IP (10.x.y.z). I am trying to use the private IPs when I kprop 
> the database to the slave. (I am convinced that I eventually got this 
> working with an iptables postrouting snat rule; I see the 10space address in 
> logs, etc.)
> 
> I am seeing this error on the slave when I try to push the database from the 
> master:
>  kpropd: Incorrect net address while decoding database size from client
> From the master side, it looks like:
>  kprop: Connection reset by peer while sending database block starting at 0
> 
> I think that kpropd is trying to look up the hostname of the master in DNS, 
> and seeing the public IP, instead of the private IP which the connection is 
> coming from, and then aborting because of that mismatch (or something like 
> that).
> On a lark I tried adding the master’s hostname with its private address to 
> /etc/hosts on the slave, but it didn’t immediately seem to help.
> 
> Is there a way to do what I’m trying to do?
> Or, is there a reason that it is dangerous to avoid verifying that IP match, 
> and I shouldn’t try to work around it?
> 
> Thank you for your help,
> Jerry Shipman

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to