[14515] in Kerberos
Re: Patch for making Kerberos work through Firewalls and NATs
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Wed May 30 15:19:36 2001
Date: Wed, 30 May 2001 15:06:15 -0400
From: Nicolas Williams <Nicolas.Williams@ubsw.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@MIT.EDU
Message-ID: <20010530150613.U11153@sm2p1386swk.wdr.com>
Mail-Followup-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@MIT.EDU
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <200105301828.f4UIS0o04102@ginger.cmf.nrl.navy.mil>; from kenh@cmf.nrl.navy.mil on Wed, May 30, 2001 at 02:27:57PM -0400
On Wed, May 30, 2001 at 02:27:57PM -0400, Ken Hornstein wrote:
> >> >> (Doesn't solve all of your problems, though).
> >> >
> >> >Which problems?
> >>
> >> Forwarding tickets through a NAT still doesn't work, IIRC. And ftp is
> >> a complete loss.
> >
> >FTP? Because of the GSS channel bindings? Didn't someone post a patch to
> >MIT krb5 to not require GSS bindings because MS doesn't support channel
> >bindings, or something like that?
>
> "It depends". All of the NATs I've seen edit the ftp command channel to
> get the ports right; kinda hard to do that when the command channel is
> encrypted. I think passive mode fixes that, but not everyone allows
> passive mode ... sigh.
Yes, active mode sucks and all NATs that deal with active FTP modify the
FTP TCP control stream to modify the IP address / TCP port info passed
therein, and then they also have to modify the ack numbers.
Sigh.
> --Ken
Nico
--
