[14510] in Kerberos
Re: Patch for making Kerberos work through Firewalls and NATs
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Wed May 30 12:20:36 2001
From: jaltman@watsun.cc.columbia.edu (Jeffrey Altman)
Date: 30 May 2001 15:08:29 GMT
Message-ID: <9f32dd$477$1@newsmaster.cc.columbia.edu>
To: kerberos@MIT.EDU
In article <200105301350.f4UDofo00906@ginger.cmf.nrl.navy.mil>,
Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
: >> (Doesn't solve all of your problems, though).
: >
: >Which problems?
:
: Forwarding tickets through a NAT still doesn't work, IIRC.
forwarding does not work because the local IP is used
: And ftp is
: a complete loss.
This is because of the channel bindings. Channel bindings are
optional according to the GSSAPI spec and in fact Win2000 does not
support them. The latest MIT FTPD code makes the use of channel
bindings optional on the server. The client will always use them.
This can be fixed by providing a client side option to refuse to
use channel bindings.
Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
kermit-support@kermit-project.org OpenSSL. SSH soon to follow.
