diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-10-15 16:56:30 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-10-15 16:56:30 +0000 |
| commit | b91da5a4c7efc189dcfe57c4de2a8e8673102295 (patch) | |
| tree | 67aa7d0770fa502537f63fe09d9b0f011eb8cf77 | |
| parent | 2b7be6fbfdc920bff5ab89213931e69bed5bfed6 (diff) | |
| download | krb5-b91da5a4c7efc189dcfe57c4de2a8e8673102295.tar.gz krb5-b91da5a4c7efc189dcfe57c4de2a8e8673102295.tar.xz krb5-b91da5a4c7efc189dcfe57c4de2a8e8673102295.zip | |
Allow password changes over NATs
In the kpasswd server code, don't set a remote address in the auth
context before calling krb5_rd_priv, since the kpasswd protocol is
well-protected against reflection attacks. This allows password
changes to work in cases where a NAT has changed the client IP address
as it is seen by the server.
ticket: 6979
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25356 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/kadmin/server/schpw.c | 31 |
1 files changed, 8 insertions, 23 deletions
diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c index d46d43b15..8e38cfd04 100644 --- a/src/kadmin/server/schpw.c +++ b/src/kadmin/server/schpw.c @@ -137,29 +137,6 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, goto chpwfail; } - /* mk_priv requires that the local address be set. - getsockname is used for this. rd_priv requires that the - remote address be set. recvfrom is used for this. If - rd_priv is given a local address, and the message has the - recipient addr in it, this will be checked. However, there - is simply no way to know ahead of time what address the - message will be delivered *to*. Therefore, it is important - that either no recipient address is in the messages when - mk_priv is called, or that no local address is passed to - rd_priv. Both is a better idea, and I have done that. In - summary, when mk_priv is called, *only* a local address is - specified. when rd_priv is called, *only* a remote address - is specified. Are we having fun yet? */ - - ret = krb5_auth_con_setaddrs(context, auth_context, NULL, - remote_faddr->address); - if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed storing client internet address", - sizeof(strresult)); - goto chpwfail; - } - /* construct the ap-rep */ ret = krb5_mk_rep(context, auth_context, &ap_rep); @@ -175,6 +152,14 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, cipher.length = (req->data + req->length) - ptr; cipher.data = ptr; + /* + * Don't set a remote address in auth_context before calling krb5_rd_priv, + * so that we can work against clients behind a NAT. Reflection attacks + * aren't a concern since we use sequence numbers and since our requests + * don't look anything like our responses. Also don't set a local address, + * since we don't know what interface the request was received on. + */ + ret = krb5_rd_priv(context, auth_context, &cipher, &clear, &replay); if (ret) { numresult = KRB5_KPASSWD_HARDERROR; |