From 775e496aac2650343ec20826b1ba7f6306a12f3c Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 3 Jan 2020 18:17:09 -0500 Subject: [PATCH] Allow kprop over NATs In kpropd, don't set a remote address in the auth context, so that propagation can work if the client address is changed by a NAT. ticket: 8860 (new) --- src/kprop/kpropd.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c index 559b556a65..5622d56e14 100644 --- a/src/kprop/kpropd.c +++ b/src/kprop/kpropd.c @@ -135,7 +135,6 @@ static char *kdb5_util = KPROPD_DEFAULT_KDB5_UTIL; static char *kerb_database = NULL; static char *acl_file_name = KPROPD_ACL_FILE; -static krb5_address *sender_addr; static krb5_address *receiver_addr; static const char *port = KPROP_SERVICE; @@ -1190,10 +1189,6 @@ kerberos_authenticate(krb5_context context, int fd, krb5_principal *clientp, krb5_keytab keytab = NULL; char *name, etypebuf[100]; - /* Set recv_addr and send_addr. */ - sockaddr2krbaddr(context, my_sin->ss_family, (struct sockaddr *)my_sin, - &sender_addr); - sin_length = sizeof(r_sin); if (getsockname(fd, (struct sockaddr *)&r_sin, &sin_length)) { com_err(progname, errno, _("while getting local socket address")); @@ -1229,8 +1224,13 @@ kerberos_authenticate(krb5_context context, int fd, krb5_principal *clientp, exit(1); } + /* + * Do not set a remote address, to allow replication over a NAT that + * changes the client address. A reflection attack against kpropd is + * impossible because kpropd only sends one message at the end. + */ retval = krb5_auth_con_setaddrs(context, auth_context, receiver_addr, - sender_addr); + NULL); if (retval) { syslog(LOG_ERR, _("Error in krb5_auth_con_setaddrs: %s"), error_message(retval)); -- 2.47.2