[14514] in Kerberos
Re: Patch for making Kerberos work through Firewalls and NATs
daemon@ATHENA.MIT.EDU (Wyllys Ingersoll)
Wed May 30 14:41:28 2001
Message-Id: <200105301840.f4UIe5N241790@jurassic.eng.sun.com>
Date: Wed, 30 May 2001 14:43:06 -0400 (EDT)
From: Wyllys Ingersoll <Wyllys.Ingersoll@eng.sun.com>
Reply-To: Wyllys Ingersoll <Wyllys.Ingersoll@eng.sun.com>
To: deengert@anl.gov
Cc: kerberos@MIT.EDU
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: gq+oSStvcBtci/pV1qlYQA==
>
>
>Wyllys Ingersoll wrote:
>>
>> Is there a fix/workaround or possible way to make forwarding
>> tickets through a NAT work?
>
>
>Yes. I do it from home all the time, using rlogin or SSH with Gssapi/K5
>authentication, then use this forwarded TGT to get AFS tokens etc.
>
>The trick is to add the NAT address to list, but not just in kinit.
>The address must be use din the service ticket requested by
>the application. The patch posted earlier to localaddr.c looks similiar
>to what I have, and should work, as this is then called internally.
Ahh, great. Thanks for the tip. I was trying to shortcut and avoid
patching the library but I'll do it and see how it goes.
thanks,
wyllys
>
>>
>> I have a hacked up 'kinit' client that puts the NAT addr in the
>> AS_REQ (along with the hidden, local address) and I can get a TGT
>> from the KDC on the other side. But I cant seem to use that ticket
>> to authenticate to a telnet server on the opposite side - the server
>> rejects my authentication saying
>> "Read forwarded creds failed: Incorrect net address"
>
>The trick is to add the NAT address to list, but not just in kinit.
>The address must be use when in the service ticket requested by
>the application. The patch posted earlier to localaddr.c looks similiar
>to what I have, and should work, as this is then called internally.
>
>>
>> -wyllys
>>
>> >To: "Michael Bischof" <mb@byteworks.ch>
>> >cc: kerberos@MIT.EDU
>> >Subject: Re: Patch for making Kerberos work through Firewalls and NATs
>> >X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
>> WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW
>> #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
>> >Date: Wed, 30 May 2001 09:50:39 -0400
>> >From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>> >
>> >>> (Doesn't solve all of your problems, though).
>> >>
>> >>Which problems?
>> >
>> >Forwarding tickets through a NAT still doesn't work, IIRC. And ftp is
>> >a complete loss.
>> >
>> >--Ken
>
>--
>
> Douglas E. Engert <DEEngert@anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
