[14512] in Kerberos
Re: Patch for making Kerberos work through Firewalls and NATs
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Wed May 30 14:29:32 2001
Message-Id: <200105301828.f4UIS0o04102@ginger.cmf.nrl.navy.mil>
To: Nicolas Williams <Nicolas.Williams@ubsw.com>
cc: kerberos@MIT.EDU
In-reply-to: Your message of "Wed, 30 May 2001 10:30:46 EDT."
<20010530103045.T11153@sm2p1386swk.wdr.com>
Date: Wed, 30 May 2001 14:27:57 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>> >> (Doesn't solve all of your problems, though).
>> >
>> >Which problems?
>>
>> Forwarding tickets through a NAT still doesn't work, IIRC. And ftp is
>> a complete loss.
>
>FTP? Because of the GSS channel bindings? Didn't someone post a patch to
>MIT krb5 to not require GSS bindings because MS doesn't support channel
>bindings, or something like that?
"It depends". All of the NATs I've seen edit the ftp command channel to
get the ports right; kinda hard to do that when the command channel is
encrypted. I think passive mode fixes that, but not everyone allows
passive mode ... sigh.
--Ken
