[14513] in Kerberos
Re: Patch for making Kerberos work through Firewalls and NATs
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed May 30 14:34:22 2001
Message-ID: <3B153C64.19797A14@anl.gov>
Date: Wed, 30 May 2001 13:31:00 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Wyllys Ingersoll <Wyllys.Ingersoll@Eng.Sun.COM>
CC: kenh@cmf.nrl.navy.mil, kerberos@MIT.EDU
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Wyllys Ingersoll wrote:
>
> Is there a fix/workaround or possible way to make forwarding
> tickets through a NAT work?
Yes. I do it from home all the time, using rlogin or SSH with Gssapi/K5
authentication, then use this forwarded TGT to get AFS tokens etc.
The trick is to add the NAT address to list, but not just in kinit.
The address must be use din the service ticket requested by
the application. The patch posted earlier to localaddr.c looks similiar
to what I have, and should work, as this is then called internally.
>
> I have a hacked up 'kinit' client that puts the NAT addr in the
> AS_REQ (along with the hidden, local address) and I can get a TGT
> from the KDC on the other side. But I cant seem to use that ticket
> to authenticate to a telnet server on the opposite side - the server
> rejects my authentication saying
> "Read forwarded creds failed: Incorrect net address"
The trick is to add the NAT address to list, but not just in kinit.
The address must be use when in the service ticket requested by
the application. The patch posted earlier to localaddr.c looks similiar
to what I have, and should work, as this is then called internally.
>
> -wyllys
>
> >To: "Michael Bischof" <mb@byteworks.ch>
> >cc: kerberos@MIT.EDU
> >Subject: Re: Patch for making Kerberos work through Firewalls and NATs
> >X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
> WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW
> #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
> >Date: Wed, 30 May 2001 09:50:39 -0400
> >From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
> >
> >>> (Doesn't solve all of your problems, though).
> >>
> >>Which problems?
> >
> >Forwarding tickets through a NAT still doesn't work, IIRC. And ftp is
> >a complete loss.
> >
> >--Ken
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
