[14508] in Kerberos
Re: Patch for making Kerberos work through Firewalls and NATs
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed May 30 10:24:43 2001
Message-ID: <3B15026B.551A9A49@anl.gov>
Date: Wed, 30 May 2001 09:23:39 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
CC: Michael Bischof <mb@byteworks.ch>, kerberos@MIT.EDU
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Ken Hornstein wrote:
>
> >> (Doesn't solve all of your problems, though).
> >
> >Which problems?
>
> Forwarding tickets through a NAT still doesn't work, IIRC. And ftp is
> a complete loss.
Actualy I have a mod for FTP when the client is behind the NAT firewall.
The trick it for the client to insert the NAT address in the channel
binding rather the its own. This is a change to lib/gssapi/krb5/init_sec_context.c
Since I was using an environment variable rather then a profile entry,
to hold the NAT adress,you would have to make some changes. I have
a similiar mod to localaddr.c which also uses the KRB5NATADDR=
*** ,init_sec_context.c Wed Feb 28 16:07:36 2001
--- init_sec_context.c Tue Apr 10 11:27:01 2001
***************
*** 202,209 ****
--- 391,439 ----
/* compute the hash of the channel bindings */
+ #ifdef _WIN32
+ /*
+ * Many times we are behind a firewall which is doing NAT
+ * such as at home on a PC.
+ * If the KRB5NATADDR is set, and our initiator addr starts
+ * with 198, and the acceptor address does not, i.e. its
+ * outside the firewall, we will then replace the initator
+ * address with the KRB5NATADDR.
+ */
+ if (chan_bindings != GSS_C_NO_CHANNEL_BINDINGS
+ && chan_bindings->initiator_addrtype == GSS_C_AF_INET
+ && chan_bindings->acceptor_addrtype == GSS_C_AF_INET
+ && chan_bindings->initiator_address.length == 4
+ && chan_bindings->acceptor_address.length == 4
+ && *((unsigned char *)chan_bindings->initiator_address.value) == 192
+ && *(((unsigned char *)chan_bindings->initiator_address.value)+1) == 168
+ && *((unsigned char *)chan_bindings->acceptor_address.value) != 192
+ && *(((unsigned char *)chan_bindings->acceptor_address.value)+1) != 168) {
+ char * ncp;
+ int i,n;
+ if (ncp = getenv("KRB5NATADDR")) {
+ for (i=0; i<4; i++) {
+ n = 0;
+ while (*ncp >= '0' && *ncp <='9') {
+ n = n*10 + *ncp -'0';
+ ncp++;
+ }
+ if (*ncp) ncp++;
+ nataddr[i] = n;
+ }
+ saved_addr = chan_bindings->initiator_address.value;
+ chan_bindings->initiator_address.value = nataddr;
+ }
+ }
+ #endif
+
if ((code = kg_checksum_channel_bindings(context, chan_bindings, &md5, 0)))
return(code);
+ #ifdef _WIN32
+ if (saved_addr) {
+ chan_bindings->initiator_address.value = saved_addr;
+ }
+ #endif
>
> --Ken
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
